Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table.

Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2009-3696     Cross-site scripting (XSS) vulnerability allows remote     attackers to inject arbitrary web script or HTML via a     crafted MySQL table name.

  - CVE-2009-3697     SQL injection vulnerability in the PDF schema generator     functionality allows remote attackers to execute     arbitrary SQL commands. This issue does not apply to the     version in Debian 4.0 Etch.

Additionally, extra fortification has been added for the web-based setup.php script. Although the shipped web server configuration should ensure that this script is protected, in practice this turned out not always to be the case. The config.inc.php file is not writable anymore by the webserver user. See README.Debian for details on how to enable the setup.php script if and when you need it.

phpMyAdmin has been updated to version 2.11.9.6 to fix a cross-site scripting (XSS) issue (CVE-2009-3696) and a SQL injection vulnerability (CVE-2009-3697).

Changes for 3.2.2.1: - [security] XSS and SQL injection, thanks to Herman van Rink

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote web server is running a version of phpMyAdmin prior to 2.11.9.6, or 3.x prior to 3.2.2.1.  Such versions are potentially affected by multiple issues :

 - A cross-site scripting (XSS) flaw exists which allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table. (CVE-2009-3696)
 - A SQL injection flaw affects the PDF schema generator functionality. Specifically, this flaw allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. (CVE-2009-3697)

phpMyAdmin Team reports :

Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name.

SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.

ID	Name	Product	Family	Severity
44783	Debian DSA-1918-1 : phpmyadmin - several vulnerabilities	Nessus	Debian Local Security Checks	high
42326	openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-6570)	Nessus	SuSE Local Security Checks	high
42230	openSUSE Security Update : phpMyAdmin (phpMyAdmin-1416)	Nessus	SuSE Local Security Checks	high
42157	Fedora 11 : phpMyAdmin-3.2.2.1-1.fc11 (2009-10530)	Nessus	Fedora Local Security Checks	high
42154	Fedora 10 : phpMyAdmin-3.2.2.1-1.fc10 (2009-10510)	Nessus	Fedora Local Security Checks	high
5209	phpMyAdmin < 2.11.9.6 / 3.x < 3.2.2.1 Multiple Vulnerabilities	Nessus Network Monitor	CGI	high
42129	FreeBSD : phpmyadmin -- XSS and SQL injection vulnerabilities (4769914e-b844-11de-b159-0030843d3802)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2009-3696

medium

Tenable Plugins

high

high

high

high

high

high

high