Bringing MySQL to the web

PMASA-2009-6

Announcement-ID: PMASA-2009-6

Date: 2009-10-13

Summary

XSS and SQL injection vulnerabilities

Description

Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name.
SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.

Severity

We consider these vulnerabilities to be serious.

Affected Versions

For 2.11.x: versions before 2.11.9.6 are affected.<br /> For 3.x: versions before 3.2.2.1 are affected.

Solution

Upgrade to phpMyAdmin 3.2.2.1 or 2.11.9.6.

References

We wish to thank Quintin Russ for informing us in a responsible manner.

Assigned CVE ids: CVE-2009-3696 CVE-2009-3697

CWE ids: CWE-661 CWE-79 CWE-89

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 2.11 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.