=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2006/VULN380
_____________________________________________________________________

DATE                      : 03/07/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running phpMyAdmin versions prior to
                                                               2.8.2.

======================================================================

phpMyAdmin security announcement PMASA-2006-4

Announcement-ID: PMASA-2006-4
Date: 2006-06-30
Updated: 2006-07-01

Summary:
XSS vulnerability

Description:
It was possible to craft a request that contains XSS by attacking the
"table" parameter.

Severity:
We consider this vulnerability to be serious.

Affected versions:
Some versions previous to 2.8.2 suffer from this vulneribility.
Solution:
Upgrade to phpMyAdmin 2.8.2.

References:
We wish to thank bug@securitynews.ir for informing us in a responsible
manner. Their advisory is located at 
http://securitynews.ir/advisories/phpmyadmin281.txt.

For further information and in case of questions, please contact the
phpMyAdmin team. Our website is http://www.phpmyadmin.net/.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================