In association with heise online

25 August 2011, 15:16

phpMyAdmin updates close XSS hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

phpMyAdmin Logo The phpMyAdmin developers have announced the release of versions 3.4.4 and 3.3.10.4 of their open source database administration tool. According to the security advisory, these maintenance and security updates close a hole (CVE-2011-3181) in the Tracking feature that leads to multiple cross-site scripting (XSS) vulnerabilities.

The exploit was discovered by Norman Hippert and is caused due to improper sanitisation when input is passed to the table, column and index names. For an attack to be successful, an attacker must be logged in via phpMyAdmin. Versions 3.3.0 to 3.4.3.2 are affected and the developers consider the problem to be serious. Updating to phpMyAdmin 3.3.10.4 or 3.4.4 fixes the problem. Alternatively, users can apply the provided patches.

Further information about the updates can be found in the 3.4.4 and 3.3.10.4 release announcements and in the project's security advisories. Versions 3.4.4 and 3.3.10.4 of phpMyAdmin are available to download from the project's site. Hosted on SourceForge, phpMyAdmin is licensed under the GPLv2.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-1331093
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit