PMASA-2012-7
Announcement-ID: PMASA-2012-7
Date: 2012-10-12
Summary
Fetching the version information from a non-SSL site is vulnerable to a MITM attack.
Description
To display information about the current phpMyAdmin version on the main page, a piece of JavaScript is fetched from the phpmyadmin.net website in non-SSL mode. A man-in-the-middle could modify this script on the wire to cause mischief.
Severity
We consider this vulnerability to be non critical.
Affected Versions
Versions 3.5.x before 3.5.3 are affected.
Solution
Upgrade to phpMyAdmin 3.5.3 or newer or apply the patches listed below. The fix involves fetching a JSON file rather than a JavaScript file.
References
Thanks to Mike Cardwell for reporting this issue and suggesting workarounds.
Assigned CVE IDs: CVE-2012-5368
Patches
The following commits have been made to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.