PMASA-2008-6

Announcement-ID: PMASA-2008-6

Date: 2008-07-28

Summary

Cross-site Framing; XSS in setup.php

Description

We received two advisories from Aung Khant (YGN Ethical Hacker Group), and we wish to thank him for his work. It was permitted to display phpMyAdmin's frames inside another page, opening phishing or fooling possibilities; now, a parameter AllowThirdPartyFraming must be set to true in config.inc.php to allow this behavior. Also, XSS was possible for someone who could overwrite config/config.inc.php during the time this file is present in this directory.

Severity

We consider these vulnerabilities to be serious. See YGN's advisories for some mitigation factors.

Affected Versions

Versions before 2.11.8.

Solution

Upgrade to phpMyAdmin 2.11.8 or newer.

References

These advisories are available from the reporter:
http://yehg.net/lab/pr0js/advisories/Cross-Site_Framing_inphpMyAdmin2.11.7.pdf http://yehg.net/lab/pr0js/advisories/XSS_inPhpMyAdmin2.11.7.pdf

Assigned CVE ids: CVE-2008-3457

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 2.11 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements