Nom du paquet
phpmyadmin
Date
2011-10-21
Advisory ID
MDVSA-2011:158
Affected versions
MES5 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in phpmyadmin:

Missing sanitization on the table, column and index names leads to
XSS vulnerabilities (CVE-2011-3181).

Firstly, if a row contains javascript code, after inline editing this
row and saving, the code is executed. Secondly, missing sanitization
on the db, table and column names leads to XSS vulnerabilities.

When the js_frame parameter of phpmyadmin.css.php is defined as an
array, an error message shows the full path of this file, leading to
possible further attacks (CVE-2011-3646).

Crafted values entered in the setup interface can produce XSS; also,
if the config directory exists and is writeable, the XSS payload can
be saved to this directory (CVE-2011-4064).

This upgrade provides the latest phpmyadmin version (3.4.6) to address
these vulnerabilities.

Updated packages

MES5 i586

 e74e03213d30000adf2b8b5e7bb6c182  mes5/i586/phpmyadmin-3.4.6-0.1mdvmes5.2.noarch.rpm 
 7b2b17c82823d5b9aed51f9ddd09eb8c  mes5/SRPMS/phpmyadmin-3.4.6-0.1mdvmes5.2.src.rpm

MES5 x86_64

 86e0a6932a41f0a91d641238aeb88149  mes5/x86_64/phpmyadmin-3.4.6-0.1mdvmes5.2.noarch.rpm 
 7b2b17c82823d5b9aed51f9ddd09eb8c  mes5/SRPMS/phpmyadmin-3.4.6-0.1mdvmes5.2.src.rpm

References