=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN498
_____________________________________________________________________

DATE                      : 10/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running phpMyAdmin for TYPO3.

======================================================================
http://typo3.org/teams/security/security-bulletins/typo3-20081110-1/
______________________________________________________________________

TYPO3 Security Bulletin TYPO3-20081110-1: Cross-Site Scripting
vulnerability in extension phpMyAdmin (phpmyadmin)

Component Type: Third party extension. This extension is not a part
of the TYPO3 default installation.

Affected Versions: Version 4.1.0 and all versions below

Vulnerability Type: Cross-Site Scripting vulnerability

Severity: Medium

References: PMASA-2008-9

Problem Description: Failing to filter user input, the extension
is susceptible to Cross-Site Scripting making it possible to execute
arbitrary JavaScript. The vendor considers this vulnerability to be serious.

Solution: An updated version 4.1.1 is available from the TYPO3 extension
manager and at http://typo3.org/extensions/repository/view/phpmyadmin/4.1.1/.
Users of the extension are advised to update the extension as soon as possible.

Note: The 3rd party TYPO3 extension phpmyadmin embeds the 3rd party stand alone
application phpMyAdmin and makes it available from the TYPO3 backend. Numerous
vulnerabilities within the stand alone PHP application phpMyAdmin were reported
in the recent past and led to security updates of the TYPO3 extension phpmyadmin
(for further details, see bulletins TYPO3-20080924-1, TYPO3-20080916-1,
TYPO3-20080701-2). Although the current maintainer of the TYPO3 extension
phpmyadmin is monitoring the security announcements of the upstream version
actively and immediately provides us with security updates, the TYPO3 Security
Team recommends to use the TYPO3 extension phpmyadmin in development environment
only. If the functionality of phpMyAdmin is needed on a live site, an alternative
could be to use the standalone phpMyAdmin application instead and making sure that
its script files are not publicly accessible (Subnet/IP access restriction;
accessible by VPN only; etc.).

General advice: Follow the recommendations that are given in the TYPO3 Security
Cookbook. Please subscribe to the typo3-announce mailing list to receive future
Security Bulletins via E-mail.

Credits: The TYPO3 Security Team wishes to thank the extension maintainer
Andreas Kundoch for fixing the issue by upgrading phpMyAdmin to the latest
stable version.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================