MDVSA-2011:198

Package name
phpmyadmin
Date
2011-12-31
Advisory ID
MDVSA-2011:198
Affected versions
MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in phpmyadmin:

Importing a specially-crafted XML file which contains an XML entity
injection permits to retrieve a local file (limited by the privileges
of the user running the web server) (CVE-2011-4107).

Using crafted database names, it was possible to produce XSS in the
Database Synchronize and Database rename panels. Using an invalid
and crafted SQL query, it was possible to produce XSS when editing
a query on a table overview panel or when using the view creation
dialog. Using a crafted column type, it was possible to produce XSS
in the table search and create index dialogs (CVE-2011-4634).

Crafted values entered in the setup interface can produce XSS; also,
if the config directory exists and is writeable, the XSS payload can
be saved to this directory (CVE-2011-4782).

Using crafted url parameters, it was possible to produce XSS
on the export panels in the server, database and table sections
(CVE-2011-4780).

This upgrade provides the latest phpmyadmin version (3.4.9) to address
these vulnerabilities.

Updated packages

MES5 i586

 9f762851a2940d8f6d36ffe5c6dbed08  mes5/i586/phpmyadmin-3.4.9-0.1mdvmes5.2.noarch.rpm 
 9a8c951a50e6967a9c4fd00ecb4206d7  mes5/SRPMS/phpmyadmin-3.4.9-0.1mdvmes5.2.src.rpm

MES5 x86_64

 f66bf408a3bb3fc6e4c5687bfa80c20d  mes5/x86_64/phpmyadmin-3.4.9-0.1mdvmes5.2.noarch.rpm 
 9a8c951a50e6967a9c4fd00ecb4206d7  mes5/SRPMS/phpmyadmin-3.4.9-0.1mdvmes5.2.src.rpm

References