phpMyAdmin: Cross-site scripting vulnerability — GLSA 200504-08

phpMyAdmin is vulnerable to a cross-site scripting attack.

Affected packages

dev-db/phpmyadmin on all architectures
Affected versions < 2.6.2_rc1
Unaffected versions >= 2.6.2_rc1

Background

phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL databases from a web-browser.

Description

Oriol Torrent Santiago has discovered that phpMyAdmin fails to validate input to the "convcharset" variable, rendering it vulnerable to cross-site scripting attacks.

Impact

By sending a specially-crafted request, an attacker can inject and execute malicious script code, potentially compromising the victim's browser.

Workaround

There is no known workaround at this time.

Resolution

All phpMyAdmin users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.2_rc1"

References

Release date
April 11, 2005

Latest revision
May 22, 2006: 02

Severity
low

Exploitable
remote

Bugzilla entries