Bringing MySQL to the web

PMASA-2011-3

Announcement-ID: PMASA-2011-3

Date: 2011-05-22

Summary

XSS vulnerability on Tracking page.

Description

It was possible to create a crafted table name that leads to XSS.

Severity

We consider this vulnerability to be serious.

Mitigation factor

This vulnerability works in the context of a shared phpMyAdmin installation. The attacker needs to convince a victim to go to the Tracking page that relates to the crafted table.

Affected Versions

The 3.3.x and 3.4.0 versions are affected.

Unaffected Versions

Older releases than 3.3.0 are not affected.

Solution

Upgrade to phpMyAdmin 3.3.10.1 or 3.4.1 or apply the related patch listed below.

References

This issue was found by a person who wishes to be known as "dave b".

Assigned CVE ids: CVE-2011-1940

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 3.3.10 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.