Cross-site scripting (XSS) vulnerability in the replication-setup functionality in js/replication.js in phpMyAdmin 3.4.x before 3.4.10.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted database name.

- update to 3.4.10.1 (fix for bnc#747841)

  - [security] XSS in replication setup, see PMASA-2012-1

  - 3.4.10.0 (2012-02-14)

  - bug #3460090 [interface] TextareaAutoSelect feature     broken

  - patch #3375984 [export] PHP Array export might generate     invalid php code

  - bug #3049209 [import] Import from ODS ignores cell that     is the same as cell be fore

  - bug #3463933 [display] SELECT DISTINCT displays wrong     total records found

  - patch #3458944 [operations] copy table data missing SET     SQL_MODE='NO_AUTO_VALUE_ON_ZERO'

  - bug #3469254 [edit] Setting data to NULL and drop-downs

  - bug #3477063 [edit] Missing set fields and values in     generated INSERT query

  - bug #3460867 [libraries] license issue with TCPDF     (updated to 5.9.145), (fix for bnc#736698)

According to its self-identified version number, the phpMyAdmin install hosted on the remote web server is affected by a cross-site scripting vulnerability. 

The vulnerability is in the replication-setup functionality in js/replication.js in phpMyAdmin 3.4.x before 3.4.10.1, which allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted database name.

Changes for 3.5.0.0 (2012-04-07) :

  - [interface] Add support for mass prefix change.

    - [display] 'up to date' message on main page when       current version is up to date

    - [feature] Update to jQuery 1.6.2

    - [search] Show/hide db search results

    - [patch] Add gettext wrappers around a message

    - [cleanup] Remove deprecated function       PMA_DBI_get_fields

    - [feature] Remember recent tables

    - [feature] Remember the last sort order for each table

    - [ajax] for Create table in navigation panel

    - [feature] Wording about Column

    - [ajax] AJAX for Add a user in Database privileges

    - [feature] new DisableMultiTableMaintenance directive

    - [interface] Reorganised server status page.

    - [interface] Changed way of generating charts.

    - [interface] Flexible column width

    - [interface] Mouse-based column reordering in query       results

    - [ajax] AJAX for Insert to a table from database       Structure page

    - [patch] PMA_ajaxShowMessage() does not respect timeout

    - [ajax] AJAX for Change on multiple rows in table       Browse

    - [interface] Improved support for stored routines

    - [display] More options for browsing GIS data

    - [interface] Support for spatial indexes

    - [display] GIS data visualization

    - [ajax] AJAX for table structure multiple-column change

    - [ajax] AJAX for table structure index edit

    - [feature] Show/hide indexes in table Structure

    - [display] More compact navigation bar

    - [display] Display direction (horizontal/vertical) no       longer displayed by default

    - [feature] Shift/click support in database Structure

    - [display] Show/hide column in table Browse

    - [ajax] AJAX dialogs use wrong font-size

    - [interface] Timepicker does not work in AJAX dialogs

    - [ajax] AJAX for table Structure Indexes Edit

    - [ajax] AJAX for table Structure column Change

    - [interface] Improved support for events

    - [interface] Improved support for triggers

    - [interface] Improved server monitoring

    - [ajax] AJAX for table Structure column Add

    - [ajax] AJAX for table Operations copy table

    - [export] no uid Query result export (Suhosin limit)

    - [feature] Grid editing in browse mode (replaces row       inline edit)

    - [feature] Zoom-search in table Search

    - [interface] Editor for GIS data

    - [import] Import GIS data from ESRI Shapefiles

    - [interface] 'Function based search' for GIS data

    - [database] Support Drizzle database

    - [interface] Interface problems for queries having       LIMIT clauses

    - [interface] Remove DefaultPropDisplay feature

    - [prettyprint] Order By in a query containing comment       character

    - [interface] Improved ENUM/SET editor

    - [pmadb] pmadb on a different MySQL server

    - [interface] Improving field size for character columns

    - [usability] Removed an unnecessary AJAX request from       database search

    - [navi] Tabs break when squeezing page

    - [navi] Stick table tools to top of page on scroll

    - [interface] Improved error handling

    - [interface] Add useful intermediate pages to       pageselector

    - [interface] Improved index editor

    - [display] View editing via a generated ALTER VIEW

    - [interface] Deleting table from the DB does not change       the table counter

    - [designer] Toggle for relation lines

    - [ajax] database list not updated after adding/deleting       a user + database

    - [edit] Sort by key generates wrong sql with limit       clause

    - [structure] Error dropping index of non-existing       column

    - [display] Page through rows returned from a view

    - [interface] Checkbox to have SQL input remain

    - [export] Fixed CSV escape for the export

    - [import] Fixed CSV escape for the import

    - [interface] No warning on syntax error in search form

    - [core] Improved detection of SSL connection

    - [feature] FULLTEXT support for InnoDB, starting with       MySQL 5.6.4

    - [interface] Duplicate inline query edit box

    - [mime] Description of the transformation missing in       the tooltip

Changes for 3.4.11.0 (not yet released) :

  - [import] Exception on XML import

    - [navi] $cfg['ShowTooltipAliasTB'] and blank names in       navigation

Changes for 3.4.10.2 (2012-03-28) :

  - [security] Fixed local path disclosure vulnerability,     see PMASA-2012-2

Changes for 3.4.10.1 (2012-02-18) :

  - [security] XSS in replication setup, see PMASA-2012-1

Changes for 3.4.10.0 (2012-02-14) :

  - [interface] TextareaAutoSelect feature broken

    - [export] PHP Array export might generate invalid php       code

    - [import] Import from ODS ignores cell that is the same       as cell before

    - [display] SELECT DISTINCT displays wrong total records       found

    - [operations] copy table data missing SET       SQL_MODE='NO_AUTO_VALUE_ON_ZERO'

    - [edit] Setting data to NULL and drop-downs

    - [edit] Missing set fields and values in generated       INSERT query

    - [libraries] license issue with TCPDF (updated to       5.9.145)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of phpMyAdmin hosted on the remote web server is 3.4.x prior to 3.4.10.1 and is reportedly affected by a cross-site scripting vulnerability related to replication setup.

The phpMyAdmin development team reports :

It was possible to conduct XSS using a crafted database name.

ID	Name	Product	Family	Severity
74557	openSUSE Security Update : phpMyAdmin (openSUSE-2012-135)	Nessus	SuSE Local Security Checks	medium
59171	phpMyAdmin Replication Setup js/replication.js Database Name XSS	Nessus	CGI abuses : XSS	medium
58955	Fedora 17 : phpMyAdmin-3.5.0-1.fc17 (2012-5599)	Nessus	Fedora Local Security Checks	medium
58926	Fedora 15 : phpMyAdmin-3.5.0-1.fc15 (2012-5631)	Nessus	Fedora Local Security Checks	medium
58925	Fedora 16 : phpMyAdmin-3.5.0-1.fc16 (2012-5624)	Nessus	Fedora Local Security Checks	medium
58087	phpMyAdmin 3.4.x < 3.4.10.1 XSS (PMASA-2012-1)	Nessus	CGI abuses : XSS	medium
58024	FreeBSD : phpMyAdmin -- XSS in replication setup (fdd1c316-5a3d-11e1-8d3e-e0cb4e266481)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2012-1190

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium