Announcement-ID: PMASA-2011-14
Date: 2011-09-14
Multiple XSS.
Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities.
We consider these vulnerabilities to be serious.
An attacker must be logged in via phpMyAdmin to exploit this problem.
Versions 3.4.0 to 3.4.4 were found vulnerable.
Upgrade to phpMyAdmin 3.4.5 or apply the related patches listed below.
The first issue was found by Brad Bernard (iunfollow.com). The second issue was found by Nils Juenemann (https://twitter.com/#!/totally_unknown.)
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.