blob: 924495b9a8d9189d1e61d1c98c16bebdb3232c80 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200411-36">
<title>phpMyAdmin: Multiple XSS vulnerabilities</title>
phpMyAdmin is vulnerable to cross-site scripting attacks.
<product type="ebuild">phpmyadmin</product>
<announced>November 27, 2004</announced>
<revised>November 27, 2004: 01</revised>
<package name="dev-db/phpmyadmin" auto="yes" arch="*">
<unaffected range="ge">2.6.0_p3</unaffected>
<vulnerable range="lt">2.6.0_p3</vulnerable>
phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL databases from a web-browser.
Cedric Cochin has discovered multiple cross-site scripting
vulnerabilities in phpMyAdmin. These vulnerabilities can be exploited
through the PmaAbsoluteUri parameter, the zero_rows parameter in
read_dump.php, the confirm form, or an error message generated by the
internal phpMyAdmin parser.
<impact type="low">
By sending a specially-crafted request, an attacker can inject and
execute malicious script code, potentially compromising the victim's
There is no known workaround at this time.
All phpMyAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-db/phpmyadmin-2.6.0_p3&quot;</code>
<uri link="">CAN-2004-1055</uri>
<uri link="">PMASA-2004-3</uri>
<uri link="">netVigilance Advisory</uri>
<metadata tag="requester" timestamp="Wed, 24 Nov 2004 09:03:21 +0000">
<metadata tag="bugReady" timestamp="Fri, 26 Nov 2004 10:27:24 +0000">
<metadata tag="submitter" timestamp="Fri, 26 Nov 2004 19:21:36 +0000">