===================================================================== CERT-Renater Note d'Information No. 2008/VULN579 _____________________________________________________________________ DATE : 10/12/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running phpMyAdmin versions 2.11.x, 3.x. ====================================================================== http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php ______________________________________________________________________ PMASA-2008-10 Announcement-ID: PMASA-2008-10 Date: 2008-12-09 Summary SQL injection through XSRF on several pages Description A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter. Severity We consider this vulnerability to be serious. Affected Versions For 2.11.x: versions before 2.11.9.4. For 3.x: versions before 3.1.1.0. Solution Upgrade to phpMyAdmin 2.11.9.4 or 3.1.1.0 or apply patch listed bellow. References Advisory: http://www.milw0rm.com/exploits/7382 Patches Revision 12100 was applied on all branches. For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================