=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN263
_____________________________________________________________________

DATE                      : 01/07/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running phpMyAdmin extension for
                                                            TYPO3.

======================================================================
http://typo3.org/teams/security/security-bulletins/typo3-20080701-2/
______________________________________________________________________

TYPO3 Security Bulletin TYPO3-20080701-2: Cross Site Scripting 
vulnerability in extension phpMyAdmin (phpmyadmin)

Component Type: Third party extension. This extension is not a part of
the TYPO3 default installation.

Affected Versions: Version 3.0.1 and all versions below

Vulnerability Type: Cross Site Scripting

Severity: Medium

Problem Description: Failing to filter user input the extension is
susceptible to Cross Site Scripting (XSS) making it possible to execute
arbitrary JavaScript.

Solution: An updated version 3.2.0 is available from the TYPO3 extension
manager and at 
http://typo3.org/extensions/repository/view/phpmyadmin/3.2.0/. Users of
the extension are advised to update the extension as soon as possible.

General advice: Follow the recommendations that are given in the TYPO3
Security Cookbook. Please subscribe to the typo3-announce mailing list
to receive future Security Bulletins via E-mail.

Credits: The issue in phpMyAdmin was originally found by Tim Starling.
Furthermore the TYPO3 Security Team wishes to thank the extension
maintainer Andreas Kundoch for fixing the issue by upgrading phpMyAdmin
to the latest stable version.

© 2005-2008 TYPO3 Association All rights reserved


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================