XSS in setup.

2011-10-17T00:00:00
ID PHPMYADMIN:PMASA-2011-16
Type phpmyadmin
Reporter phpMyAdmin
Modified 2011-10-17T00:00:00

Description

PMASA-2011-16

Announcement-ID: PMASA-2011-16

Date: 2011-10-17

Summary

XSS in setup.

Description

Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS payload can be saved to this directory.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

The documentation warns against leaving this directory writeable; also a warning appears on the home page. Also, this XSS would target only the users who visit /setup.

Affected Versions

Versions 3.4.x are affected.

Solution

Upgrade to phpMyAdmin 3.4.6 or newer or apply the related patch listed below.

References

Thanks to Jakub Gałczyk (<http://hauntit.blogspot.com>) for reporting this issue.

Assigned CVE ids: CVE-2011-4064

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.