Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php.

Versions of phpMyAdmin earlier than 4.0.10.2, 4.1.14.3, or 4.2.7.1 are unpatched for cross-site scripting vulnerabilities on the following pages:

  - The view operations page
  - browse table
  - ENUM editor
  - monitor
  - query charts and table relations pages

Note that these vulnerabilities may only be leveraged by a user who is logged in.

Updated phpmyadmin package fixes security vulnerabilities :

In phpMyAdmin before 4.1.14.3, multiple XSS vulnerabilities exist in browse table, ENUM editor, monitor, query charts and table relations pages (CVE-2014-5273).

In phpMyAdmin before 4.1.14.3, with a crafted view name it is possible to trigger an XSS when dropping the view in view operation page (CVE-2014-5274).

This phpMyAdmin update addresses several security and non security issues :

  - This is a phpMyAdmin version upgrade (bnc#892401): (From     4.1.14.3) :

  - sf#4501 [security] XSS in table browse page     (CVE-2014-5273)

  - sf#4502 [security] Self-XSS in enum value editor     (CVE-2014-5273)

  - sf#4503 [security] Self-XSSes in monitor (CVE-2014-5273)

  - sf#4505 [security] XSS in view operations page     (CVE-2014-5274)

  - sf#4504 [security] Self-XSS in query     charts&#9;(CVE-2014-5273)

  - sf#4517 [security] XSS in relation view (CVE-2014-5273)     (From 4.1.14.2) :

  - sf#4488 [security] XSS injection due to unescaped table     name (triggers)(CVE-2014-4955)

  - sf#4492 [security] XSS in AJAX confirmation messages     (CVE-2014-4986)

  - sf#4491 [security] Missing validation for accessing User     groups feature (CVE-2014-4987) (From 4.1.14.1) :

  - sf#4464 [security] XSS injection due to unescaped     db/table name in navigation hiding (CVE-2014-4349) (From     4.1.14.0 through 4.1.9.0) :

  - Numerous non-security bugfixes are listed at     https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_     14/ChangeLog

phpMyAdmin 4.2.7.1 (2014-08-17) ===============================

  - [security] XSS in table browse page

    - [security] Self-XSS in enum value editor

    - [security] Self-XSSes in monitor

    - [security] Self-XSS in query charts

    - [security] XSS in view operations page

    - [security] XSS in relation view

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.2, 4.1.x prior to 4.1.14.3, or 4.2.x prior to 4.2.7.1. It is, therefore, affected by the following vulnerabilities :

  - Multiple cross-site scripting vulnerabilities exist in     the browser table, ENUM editor, monitor, query charts,     and table relations pages. (CVE-2014-5273)

  - A flaw exists in the view operation page that allows a     cross-site scripting attack. Note that this does not     affect the 4.0.x releases. (CVE-2014-5274)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The phpMyAdmin development team reports :

Multiple XSS vulnerabilities in browse table, ENUM editor, monitor, query charts and table relations pages.

With a crafted database, table or a primary/unique key column name it is possible to trigger an XSS when dropping a row from the table. With a crafted column name it is possible to trigger an XSS in the ENUM editor dialog. With a crafted variable name or a crafted value for unit field it is possible to trigger a self-XSS when adding a new chart in the monitor page. With a crafted value for x-axis label it is possible to trigger a self-XSS in the query chart page. With a crafted relation name it is possible to trigger an XSS in table relations page.

XSS in view operations page.

With a crafted view name it is possible to trigger an XSS when dropping the view in view operation page.

ID	Name	Product	Family	Severity
8408	phpMyAdmin 4.0.x < 4.0.10.2 / 4.1.x < 4.1.14.3 / 4.2.x < 4.2.7.1 Multiple XSS (PMASA-2014-8, PMASA-2014-9)	Nessus Network Monitor	CGI	medium
77643	Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2014:164)	Nessus	Mandriva Local Security Checks	low
77432	openSUSE Security Update : phpMyAdmin (openSUSE-SU-2014:1069-1)	Nessus	SuSE Local Security Checks	medium
77424	Fedora 19 : phpMyAdmin-4.2.7.1-1.fc19 (2014-9534)	Nessus	Fedora Local Security Checks	low
77362	Fedora 20 : phpMyAdmin-4.2.7.1-1.fc20 (2014-9555)	Nessus	Fedora Local Security Checks	low
77305	phpMyAdmin 4.0.x < 4.0.10.2 / 4.1.x < 4.1.14.3 / 4.2.x < 4.2.7.1 Multiple XSS Vulnerabilities (PMASA-2014-8 - PMASA-2014-9)	Nessus	CGI abuses : XSS	low
77235	FreeBSD : phpMyAdmin -- XSS vulnerabilities (fbb01289-2645-11e4-bc44-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2014-5273

medium

Tenable Plugins

medium

low

medium

low

low

low

low