Multiple cross-site scripting (XSS) vulnerabilities in the Database Structure page in phpMyAdmin 3.4.x before 3.4.11.1 and 3.5.x before 3.5.2.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) a crafted table name during table creation, or a (2) Empty link or (3) Drop link for a crafted table name.

phpMyAdmin was updated to 3.5.2.2

  - fix for bnc#776698, bnc#776701

phpMyAdmin 3.5.2.2 (2012-08-12) ===============================

  - [security] Fixed XSS vulnerabilities, see PMASA-2012-4     (http://www.phpmyadmin.net/home_page/security/PMASA-2012
    -4.php)

phpMyAdmin 3.5.2.1 (2012-08-03) ===============================

  - [security] Fixed local path disclosure vulnerability,     see PMASA-2012-3     (http://www.phpmyadmin.net/home_page/security/PMASA-2012
    -3.php)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-identified version number, the phpMyAdmin install hosted on the remote web server is affected by multiple cross-site scripting vulnerabilities. Using a crafted table name, it's possible to produce the issue with the following pages / conditions :

  - The Database Structure page by creating a table with a     crafted name or using the Empty and Drop links of the     crafted table name.

  - The Table Operations page of a crafted table by using     the 'Empty the table (TRUNCATE)' and 'Delete the table     (DROP)' links.

  - The Triggers page of a database containing tables with     a crafted name when opening the 'Add Trigger' pop-up.

  - When creating a trigger for a table with a crafted name     with an invalid definition.

  - When visualizing GIS data having a crafted label name.

Note that version 3.4.x is only affected by the issues on the Database Structure page, while versions 3.5.x are affected by all the issues listed.

The phpMyAdmin development team reports :

Using a crafted table name, it was possible to produce a XSS : 1) On the Database Structure page, creating a new table with a crafted name 2) On the Database Structure page, using the Empty and Drop links of the crafted table name 3) On the Table Operations page of a crafted table, using the 'Empty the table (TRUNCATE)' and 'Delete the table (DROP)' links 4) On the Triggers page of a database containing tables with a crafted name, when opening the 'Add Trigger' popup 5) When creating a trigger for a table with a crafted name, with an invalid definition. Having crafted data in a database table, it was possible to produce a XSS : 6) When visualizing GIS data, having a crafted label name.

ID	Name	Product	Family	Severity
74726	openSUSE Security Update : phpMyAdmin (openSUSE-SU-2012:1062-1)	Nessus	SuSE Local Security Checks	medium
62129	Fedora 18 : phpMyAdmin-3.5.2.2-1.fc18 (2012-11962)	Nessus	Fedora Local Security Checks	medium
61699	Fedora 16 : phpMyAdmin-3.5.2.2-1.fc16 (2012-12060)	Nessus	Fedora Local Security Checks	medium
61698	Fedora 17 : phpMyAdmin-3.5.2.2-1.fc17 (2012-12031)	Nessus	Fedora Local Security Checks	medium
61659	phpMyAdmin 3.4.x < 3.4.11.1 / 3.5.x < 3.5.2.2 Multiple XSS (PMASA-2012-4)	Nessus	CGI abuses : XSS	low
61566	FreeBSD : phpMyAdmin -- Multiple XSS in Table operations, Database structure, Trigger and Visualize GIS data pages (db1d3340-e83b-11e1-999b-e0cb4e266481)	Nessus	FreeBSD Local Security Checks	low

Detections

Analytics

CVE-2012-4345

medium

Tenable Plugins

medium

medium

medium

medium

low

low