SB2011122206 - Cross-site scripting in phpMyAdmin

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2011-4634)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in phpMyAdmin 3.4.x before 3.4.8 when processing (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted SQL query, related to the view creation dialog; (5) a crafted column type, related to the table search dialog; or (6) a crafted column type, related to the create index dialog. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://lists.fedoraproject.org/pipermail/package-announce/2011-December/071040.html
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=077c10020e349e8c1beb46309098992fde616913
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=1490533d91e9d3820e78ca4eac7981886eaea2cb
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b289fe082441dc739939b0ba15dae0d9dc6cee92
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=dac8d6ce256333ff45b5f46270304b8657452740
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:198
• http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php