Announcement-ID: PMASA-2008-6

Date: 2008-07-28


Cross-site Framing; XSS in setup.php


We received two advisories from Aung Khant (YGN Ethical Hacker Group), and we wish to thank him for his work. It was permitted to display phpMyAdmin's frames inside another page, opening phishing or fooling possibilities; now, a parameter AllowThirdPartyFraming must be set to true in to allow this behavior. Also, XSS was possible for someone who could overwrite config/ during the time this file is present in this directory.


We consider these vulnerabilities to be serious. See YGN's advisories for some mitigation factors.

Affected Versions

Versions before 2.11.8.


Upgrade to phpMyAdmin 2.11.8 or newer.


These advisories are available from the reporter:

Assigned CVE ids: CVE-2008-3457

CWE ids: CWE-661 CWE-79


The following commits have been made to fix this issue:

The following commits have been made on the 2.11 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is