PMASA-2014-10

Announcement-ID: PMASA-2014-10

Date: 2014-09-13

Summary

XSRF/CSRF due to DOM based XSS in the micro history feature

Description

By deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature.

Severity

We consider this vulnerability to be critical.

Affected Versions

Versions 4.0.x (prior to 4.0.10.3), 4.1.x (prior to 4.1.14.4) and 4.2.x (prior to 4.2.8.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.3 or newer, or 4.1.14.4 or newer, or 4.2.8.1 or newer, or apply the patches listed below.

References

Thanks to Olivier Beg (http://www.olivierbeg.nl) for reporting the vulnerability.

Assigned CVE ids: CVE-2014-6300

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 4.0 branch to fix this issue:

The following commits have been made on the 4.1 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements