[v3.0] phpmyadmin: xss vulnerabilities (CVE-2014-8326)
XSS vulnerabilities have been found and fixed in SQL debug output and server monitor page. With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and analysing executed queries.
This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages. Moreover, debugging SQL is a developer option which is disabled by default and expected to be disabled in production environments.
Affected Versions: 4.0.x (prior to 4.0.10.5), 4.1.x (prior to 4.1.14.6) and 4.2.x (prior to 4.2.10.1) are affected.
Solution: upgrade to phpMyAdmin 4.0.10.5 or newer, or 4.1.14.6 or newer,
or 4.2.10.1 or newer, or apply the patch could be found by the link
below.
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-12.php
(from redmine: issue id 3483, created on 2014-10-28, closed on 2014-12-08)
- Relations:
- parent #3479 (closed)
- Changesets:
- Revision 40a853c0 by Natanael Copa on 2014-12-05T15:57:39Z:
main/phpmyadmin: security upgrade to 4.2.13.1
fixes #3483
fixes #3533
CVE-2014-8326
CVE-2014-8958
CVE-2014-8959
CVE-2014-8960
CVE-2014-8961