==================================================================== CERT-Renater Note d'Information No. 2012/VULN338 ____________________________________________________________________ DATE : 17/08/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running phpMyAdmin version 3.4.x, 3.5.x prior to 3.4.11.1, 3.5.2.2. ====================================================================== http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php ______________________________________________________________________ PMASA-2012-4 Announcement-ID: PMASA-2012-4 Date: 2012-08-16 Summary Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages. Description Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the 'Empty the table (TRUNCATE)' and 'Delete the table (DROP)' links 4) On the Triggers page of a database containing tables with a crafted name, when opening the 'Add Trigger' popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name. Severity We consider these vulnerabilities to be non critical. Mitigation factor These XSS can only be triggered when a table with a crafted name is already present, or if crafted data is already stored in a database table. Affected Versions Versions 3.4.x are affected, for issues #1 and #2. Versions 3.5.x are affected, for all issues. Solution Upgrade to phpMyAdmin 3.4.11.1 or 3.5.2.2 or newer or apply the patches listed below. References Thanks to Emanuel Bronshtein for reporting issues #2, #3 and #4. Assigned CVE ids: CVE-2012-4345 CWE ids: CWE-661 CWE-79 Patches The following commits have been made to fix this issue: 50d1a4884306ae6705f0bb665ba71da24089b6fe ee306681d0d5ac09b6fc62a7d573020af083e856 dca22c5046aa16899042592b40a0af7b5c4f1fc7 1aec25f5f2163029da51da39a1d13dcb20fb00ea d56335691cf1c1d8be3453904a885038da0a8c93 The following commits have been made on the 3.4 branch to fix this issue: d84b98d34012cc5986fe84f1871b0396990391ef e094f34bed5ef3fd9a4a3cd08e01ff59a260c730 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================