===================================================================== CERT-Renater Note d'Information No. 2009/VULN420 _____________________________________________________________________ DATE : 20/10/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running phpMyAdmin versions 2.11.x, 3.x. ====================================================================== http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php ______________________________________________________________________ PMASA-2009-6 Announcement-ID: PMASA-2009-6 Date: 2009-10-13 Summary XSS and SQL injection vulnerabilities Description Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature. Severity We consider these vulnerabilities to be serious. Affected Versions For 2.11.x: versions before 2.11.9.6 are affected. For 3.x: versions before 3.2.2.1 are affected. Solution Upgrade to phpMyAdmin 3.2.2.1 or 2.11.9.6. References We wish to thank Quintin Russ for informing us in a responsible manner. Assigned CVE ids: CVE-2009-3696 and CVE-2009-3697 Patches Revision 13034 was applied to all affected branches. For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================