Bringing MySQL administration to the web

Download 5.2.3
Demo Donate

PMASA-2007-5

Announcement-ID: PMASA-2007-5

Date: 2007-10-15

Summary

XSS vulnerability

Description

We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work.

It was possible to trigger this attack on setup.php.

Severity

We consider this vulnerability to be serious; however, we could only trigger it when using Internet Explorer with the 'send URLs as UTF8' setting disabled. The default value of this setting being 'enabled' reduces the impact of this problem.

Affected Versions

Probably all versions before 2.11.1.1.

Solution

Upgrade to phpMyAdmin 2.11.1.1 or newer.

References

http://www.securityfocus.com/bid/26020/info

Assigned CVE IDs: CVE-2007-5386

CWE IDs: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.

Announcements