Announcement-ID: PMASA-2012-7
Date: 2012-10-12
Fetching the version information from a non-SSL site is vulnerable to a MITM attack.
To display information about the current phpMyAdmin version on the main page, a piece of JavaScript is fetched from the phpmyadmin.net website in non-SSL mode. A man-in-the-middle could modify this script on the wire to cause mischief.
We consider this vulnerability to be non critical.
Versions 3.5.x before 3.5.3 are affected.
Upgrade to phpMyAdmin 3.5.3 or newer or apply the patches listed below. The fix involves fetching a JSON file rather than a JavaScript file.
Thanks to Mike Cardwell for reporting this issue and suggesting workarounds.
Assigned CVE ids: CVE-2012-5368
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.