===================================================================== CERT-Renater Note d'Information No. 2008/VULN248 _____________________________________________________________________ DATE : 25/06/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running phpMyAdmin. ====================================================================== http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-4 ______________________________________________________________________ phpMyAdmin security announcement PMASA-2008-4 Announcement-ID: PMASA-2008-4 Date: 2008-06-23 Summary: XSS on plausible insecure PHP installation Description: We received an advisory from Tim Starling (Wikimedia), and we wish to thank him for his work. Some scripts in the /libraries directory were vulnerable to XSS. Severity: We consider this vulnerability to be serious. Mitigation factor: We were able to reproduce this only on systems where both of these conditions are true: the PHP register_globals setting is "on" and the web server does not apply the settings contained in the .htaccess file that we placed in /libraries. Affected versions: Versions before 2.11.7. Solution: Upgrade to phpMyAdmin 2.11.7 or newer. References: Revision 11326 In case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================