phpMyAdmin

• PMASA-2010-3
• PMASA-2010-2
• PMASA-2010-1
• PMASA-2009-6
• PMASA-2009-5
• PMASA-2009-4
• PMASA-2009-3
• PMASA-2009-2
• PMASA-2009-1
• PMASA-2008-10
• PMASA-2008-9
• PMASA-2008-8
• PMASA-2008-7
• PMASA-2008-6
• PMASA-2008-5
• PMASA-2008-4
• PMASA-2008-3
• PMASA-2008-2
• PMASA-2008-1
• PMASA-2007-8
• PMASA-2007-7
• PMASA-2007-6
• PMASA-2007-5
• PMASA-2007-4
• PMASA-2007-3
• PMASA-2007-2
• PMASA-2007-1
• PMASA-2006-9
• PMASA-2006-8
• PMASA-2006-7
• PMASA-2006-6
• PMASA-2006-5
• PMASA-2006-4
• PMASA-2006-3
• PMASA-2006-2
• PMASA-2006-1
• PMASA-2005-9
• PMASA-2005-8
• PMASA-2005-7
• PMASA-2005-6
• PMASA-2005-5
• PMASA-2005-4
• PMASA-2005-3
• PMASA-2005-2
• PMASA-2005-1
• PMASA-2004-4
• PMASA-2004-3
• PMASA-2004-2
• PMASA-2004-1
• PMASA-2003-1

PMASA-2007-6

Announcement-ID: PMASA-2007-6

Date: 2007-10-17

Updated: 2007-10-24 (CVE reference)

Summary

XSS vulnerabilities

Description

We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work. It was possible to trigger this attack on server_status.php.

Our team fixed also other possible XSS vulnerabilities regarding PHP_SELF, PATH_INFO, REQUEST_URI.

Severity

We consider these vulnerabilities to be serious.

Affected Versions

Probably all versions before 2.11.1.2.

Solution

Upgrade to phpMyAdmin 2.11.1.2 or newer.

References

http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html

Assigned CVE ids: CVE-2007-5589

Patches

Patches are referenced here: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=10796

For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net.