Multiple vulnerabilities in extension phpMyAdmin (phpmyadmin)

2011-10-18T00:00:00
ID TYPO3-EXT-SA-2011-014
Type typo3
Reporter TYPO3 Association
Modified 2011-10-18T00:00:00

Description

It has been discovered that the extension phpMyAdmin (phpmyadmin) is vulnerable to Cross-Site Scripting and Full Path Disclosure.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 4.11.5 and below

Vulnerability Type: Cross-Site Scripting, Full Path Disclosure

Severity: Low

Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What's that?)

References: PMASA-2011-15, PMASA-2011-16

Release Date: 18.10.2011

Problem Description: When the js_frame parameter of phpmyadmin.css.php is defined as an array, an error message shows the full path of this file, leading to possible further attacks.
Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS payload can be saved to this directory.

Solution: An updated version 4.11.6 is available from the TYPO3 extension manager and attypo3.org/extensions/repository/view/phpmyadmin/4.11.6/. Users of the extension are advised to update the extension.

Note: The TYPO3 Security Team requests TYPO3 administrators to consider our advice from TYPO3-SA-2009-015 to either use extension phpMyAdmin only on development servers or to use the phpMyAdmin standalone application on production servers.

Credits: The vendor of the phpMyAdmin upstream software credits Mihail Ursu (for the Full Path Disclosure issue) and Jakub Gałczyk (for the Cross-Site Scripting issue). Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to thetypo3-announce mailing list to receive future Security Bulletins via E-mail.