Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.8 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted SQL query, related to the view creation dialog; (5) a crafted column type, related to the table search dialog; or (6) a crafted column type, related to the create index dialog.

- update to 3.4.8

  - bug #3425230 [interface] enum data split at space char     (more space to edit)

  - bug #3426840 [interface] ENUM/SET editor can't handle     commas in values

  - bug #3427256 [interface] no links to browse/empty views     and tables

  - bug #3430377 [interface] Deleted search results remain     visible

  - bug #3428627 [import] ODS import ignores memory limits

  - bug #3426836 [interface] Visual column separation

  - bug #3428065 [parser] TRUE not recognized by parser

  + patch #3433770 [config] Make location of php-gettext     configurable

  - patch #3430291 [import] Handle conflicts in some     open_basedir situations

  - bug #3431427 [display] Dropdown results - setting NULL     does not work

  - patch #3428764 [edit] Inline edit on multi-server     configuration

  - patch #3437354 [core] Notice: Array to string conversion     in PHP 5.4

  - [interface] When ShowTooltipAliasTB is true, VIEW is     wrongly shown as the view name in main panel db     Structure page

  - bug #3439292 [core] Fail to synchronize column with name     of keyword

  - bug #3425156 [interface] Add column after drop

  - [interface] Avoid showing the password in phpinfo()'s     output

  - bug #3441572 [GUI] 'newer version of phpMyAdmin' message     not shown in IE8

  - bug #3407235 [interface] Entering the key through a     lookup window does not reset NULL

  - [security] Self-XSS on database names (Synchronize), see     PMASA-2011-18

  - [security] Self-XSS on database names     (Operations/rename), see PMASA-2011-18

  - [security] Self-XSS on column type (Create index), see     PMASA-2011-18

  - [security] Self-XSS on column type (table Search), see     PMASA-2011-18

  - [security] Self-XSS on invalid query (table overview),     see PMASA-2011-18

The remote host is affected by the vulnerability described in GLSA-201201-01 (phpMyAdmin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in phpMyAdmin. Please       review the CVE identifiers and phpMyAdmin Security Advisories referenced       below for details.
  Impact :

    Remote attackers might be able to insert and execute PHP code, include       and execute local PHP files, or perform Cross-Site Scripting (XSS)       attacks via various vectors.
  Workaround :

    There is no known workaround at this time.

The version of phpMyAdmin hosted on the remote server is 3.4.x prior to 3.4.8 and is affected by a cross-site scripting vulnerability.  The database name is not properly sanitized in the file 'js/db_operations.js' when attempting to rename a database.

Note that this version is reportedly affected by several other cross- site scripting vulnerabilities.  However, Nessus has not tested for these vulnerabilities.

Changes for 3.4.8.0 (2011-12-01) :

  - [interface] enum data split at space char (more space to     edit)

    - [interface] ENUM/SET editor can't handle commas in       values

    - [interface] no links to browse/empty views and tables

    - [interface] Deleted search results remain visible

    - [import] ODS import ignores memory limits

    - [interface] Visual column separation

    - [parser] TRUE not recognized by parser

    - [config] Make location of php-gettext configurable

    - [import] Handle conflicts in some open_basedir       situations

    - [display] Dropdown results - setting NULL does not       work

    - [edit] Inline edit on multi-server configuration

    - [core] Notice: Array to string conversion in PHP 5.4

    - [interface] When ShowTooltipAliasTB is true, VIEW is       wrongly shown as the view name in main panel db       Structure page

    - [core] Fail to synchronize column with name of keyword

    - [interface] Add column after drop

    - [interface] Avoid showing the password in phpinfo()'s       output

    - [GUI] 'newer version of phpMyAdmin' message not shown       in IE8

    - [interface] Entering the key through a lookup window       does not reset NULL

    - [security] Self-XSS on database names (synchronize,       operations/rename), see PMASA-2011-18       (http://www.phpmyadmin.net/home_page/security/PMASA-20       11-18.php)

    - [security] Self-XSS on column type (create index,       table Search), see PMASA-2011-18       (http://www.phpmyadmin.net/home_page/security/PMASA-20       11-18.php)

    - [security] Self-XSS on invalid query (table overview),       see PMASA-2011-18       (http://www.phpmyadmin.net/home_page/security/PMASA-20       11-18.php)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The phpMyAdmin development team reports :

Using crafted database names, it was possible to produce XSS in the Database Synchronize and Database rename panels. Using an invalid and crafted SQL query, it was possible to produce XSS when editing a query on a table overview panel or when using the view creation dialog.
Using a crafted column type, it was possible to produce XSS in the table search and create index dialogs.

ID	Name	Product	Family	Severity
74539	openSUSE Security Update : phpMyAdmin (openSUSE-2011-94)	Nessus	SuSE Local Security Checks	medium
57433	GLSA-201201-01 : phpMyAdmin: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
57337	phpMyAdmin 3.4.x < 3.4.8 XSS (PMASA-2011-18)	Nessus	CGI abuses : XSS	medium
57327	Fedora 15 : phpMyAdmin-3.4.8-1.fc15 (2011-16786)	Nessus	Fedora Local Security Checks	medium
57326	Fedora 16 : phpMyAdmin-3.4.8-1.fc16 (2011-16768)	Nessus	Fedora Local Security Checks	medium
56988	FreeBSD : phpMyAdmin -- Multiple XSS (ed536336-1c57-11e1-86f4-e0cb4e266481)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2011-4634

medium

Tenable Plugins

medium

critical

medium

medium

medium

medium