PMASA-2011-16
Announcement-ID: PMASA-2011-16
Date: 2011-10-17
Summary
XSS in setup.
Description
Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS payload can be saved to this directory.
Severity
We consider this vulnerability to be non critical.
Mitigation factor
The documentation warns against leaving this directory writeable; also a warning appears on the home page. Also, this XSS would target only the users who visit /setup.
Affected Versions
Versions 3.4.x are affected.
Solution
Upgrade to phpMyAdmin 3.4.6 or newer or apply the related patch listed below.
References
Thanks to Jakub Gałczyk (http://hauntit.blogspot.com) for reporting this issue.
Assigned CVE IDs: CVE-2011-4064
Patches
The following commits have been made to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.