Announcement-ID: PMASA-2007-5
Date: 2007-10-15
XSS vulnerability
We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work.
It was possible to trigger this attack on setup.php.
We consider this vulnerability to be serious; however, we could only trigger it when using Internet Explorer with the 'send URLs as UTF8' setting disabled. The default value of this setting being 'enabled' reduces the impact of this problem.
Probably all versions before 2.11.1.1.
Upgrade to phpMyAdmin 2.11.1.1 or newer.
http://www.securityfocus.com/bid/26020/info
Assigned CVE ids: CVE-2007-5386
Patches are available in this tracker: https://sourceforge.net/tracker/index.php?func=detail&aid=1810629&group_id=23067&atid=377408
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.