Fedora 14 : phpMyAdmin-3.4.1-1.fc14 (2011-7702)

This script is Copyright (C) 2011-2016 Tenable Network Security, Inc.

Synopsis :

The remote Fedora host is missing a security update.

Description :

Welcome to phpMyAdmin 3.4, presenting a new default theme. This
release contains new features, especially :

- User preferences

- Relation schema export to multiple formats

- ENUM/SET editor

- Simplified interface for export/import

- AJAXification of some parts

- Charts

- Visual query builder

and here is the ChangeLog :

Changes for (2011-05-20)

- [interface] Synchronize and already configured host

- [bug] Inline edit and $cfg['PropertiesIconic']

- [patch] Show a translated label

- [navi] Table filter is case sensitive

- [privileges] Revert temporary fix

- [synchronize] Synchronize and user name

- [core] Some browsers report an insecure https

- [security] Make redirector require valid token (see
PMASA-2011-3 and PMASA-2011-4)

Changes for (2011-05-11)

- [view] Enable VIEW rename

- [privileges] Export a user's privileges

- [core] Updated mootools to fix some glitches with

- [interface] Add REGEXP ^...$ to select dialog.

- [interface] Add insert ignore option to editing row.

- [interface] Show warning when JavaScript is disabled.

- [edit] Call UUID function separately to show it in

- [export] Allow export of timestamps in UTC.

- [core] Remove config data from session as it brings
chicken-egg problem.

- [core] Cookie path now honors PmaAbsoluteUri.

- [core] phpMyAdmin honors https in PmaAbsoluteUri.

- [core] Try moving tables by RENAME and fail to
CREATE/INSERT if that fails.

- [core] Force reload js on code change.

- [interface] Do not display long numbers in server

- [edit] Add option to just display insert query.

- [interface] Move SSL status to the end, it is usually

- [interface] Show numbers of columns in table

- [inrerface] Add link to reload navigation frame.

- [auth] Signon authentication forwards error message
through session data.

- [interface] Move ^1 to the end of message.

- [interface] Grey out non applicable actions in

- [interface] Allow to create new table from navigation
frame (in light mode).

- [browse] Add direct download of binary fields.

- [browse] Properly display NULL value for BLOB.

- [edit] Allow to set BLOB to/from NULL with

- [edit] Do not default to UNHEX when using file upload.

- [core] Add option to configure session_save_path.

- [interface] Provide links to documentation in
highlighted SQL.

- [interface] It is now possible to bookmark most pages
in JS capable browser.

- [core] Fix SSL detection.

- [doc] Add some hints to chk_rel.php for quick setup.

- [interface] Add class to some elements for easier

- [doc] Add some interesting configs to

- [doc] Added advice to re-login after changing pmadb

- [interface] Prefill 'Copy table to' in
tbl_operations.php, thanks to iinl

- [lang] Add English (United Kingdom) translation,
thanks to Robert Readman.

- [auth] HTTP Basic auth realm name, thanks to Harald

- [interface] Do not insert doc links to not formatted

- [lang] Chinese Simplified update, thanks to Shanyan

- [lang] Turkish update, thanks to Burak Yavuz

- [interface] Focus TEXTAREA 'sql_query' on click on
'SQL' link

- [lang] Uzbek update, thanks to Orzu Samarqandiy

- [import] After import, also list uploaded filename,
thanks to Pavel Konnikov and Herman van Rink

- [structure] Clicking on table name in db Structure
should Browse the table if possible, thanks to

- [search] New search operators, thanks to Martynas

- [designer] Colored relations based on the primary key,
thanks to GreenRover

- [core] Provide way for vendors to easily change paths
to config files.

- [interface] Add inline query editing, thanks to
Muhammd Adnan.

- [setup] Allow to configure changes tracking in setup

- [edit] Optionally disable the Type column, thanks to
Brian Douglass

- [edit] Buttons for quicky creating common SQL queries,
thanks to sutharshan.

- [interface] Convert loading of export/import to jQuery
ready event, thanks to sutharshan.

- [edit] CURRENT_TIMESTAMP is also valid for datetime

- [engines] Fix parsing of PBXT status, thanks to
Madhura Jayaratne.

- [interface] Convert upload progress bar to jQuery,
thanks to Philip Frank.

- [interface] Add JavaScript validation of datetime
input, thanks to Sutharshan Balachandren.

- [interface] Default sort order is now SMART.

- [interface] Fix flipping of headers in non-IE

- [interface] Allow to choose servers from configuration
for synchronisation.

- [relation] Improve ON DELETE/ON UPDATE drop-downs

- [relation] Improve labels in relation view

- [interface] Use jQuery calendar dialog, thanks to
Muhammad Adnan.

- [doc] Incorporate synchronisation docs into main

- [core] Include Content Security Policy HTTP headers.

- [CSS] Field attributes use inline CSS

- [interface] Cleanup navigation frame.

- [core] Prevent sending of unnecessary cookies, thanks
to Piotr Przybylski

- [password] Generate password only available if JS is
enabled (fixed for Privileges and Change password)

- [core] RecodingEngine now accepts none as valid

- [core] Dropped AllowAnywhereRecoding configuration

- [interface] Define tab order in SQL form to allow
easier tab navigation.

- [core] Centralized format string expansion,
@[email protected] are recommended way now, used by file name
templates, default queries, export and title

- [validator] SQL validator works also with SOAP PHP

- [interface] Better formatting for SQL validator

- [doc] The linked-tables infrastructure is now called
phpMyAdmin configuration storage.

- [interface] Move drop/empty links from being tabs to
Operations tab.

- [interface] Fixed rendering of error/notice/info
titles background.

- [doc] Language and grammar fixes, thanks to Isaac

- [export] JSON export, thanks to Hauke Henningsen

- [interface] Editor for SET/ENUM fields.

- [interface] Simplified interface to backup/restore.

- [common] Users preferences

- [relations] Dropped WYSIWYG-PDF configuration

- [relations] Export relations to Dia, SVG and others

- [interface] Added charts to status tab, profiling page
and query results

- [interface] AJAXification on various pages

- [core] Remove last remaining parts of profiling code
which was removed in 2006.

- [parser] Add workaround for MySQL way of handling

- [interface] Removed modification options for

- [config] Add Left frame table filter visibility config
option, thanks to eesau

- [core] Force generating of new session on login

- [interface] Drop page-break-before as it is useless
for smaller tables.

- [interface] Allow to wrap enum values.

- [interface] Do not automatically mark PDF schema rows
to delete

- [interface] Do not apply LeftFrameDBSeparator on first

- [interface] Column highlighting and marking in table

- [common] Visual query builder

- [interface] Prevent long queries from being shown in
confirmation popup

- [navi] Left panel table grouping incorrect, thanks to
garas - garas

- [interface] Avoid double escaping of MySQL errors.

- [interface] Use less noisy message and remove disable
link on server charts and database statistics.

- [relation] When displaying results, show a link to the
foreign table even when phpMyAdmin configuration
storage is not active

- [relation] Foreign key input options

- [export] Better handling of export to PHP array.

- [privileges] No DROP DATABASE warning if you delete a

- [interface] Add link to documentation for status

- [security] Redirect external links to avoid Referer

- [interface] Default to not count tables in database.

- [interface] Shortcut for copying table row.

- [auth] Reset user cache on login.

- [interface] Replace hard-coded limit with

- [interface] Indicate that bookmark is being used on

- [interface] Indicate shared bookmarks in interface.

- [search] Ajaxify browse and delete criteria in DB
Search, thanks to Thilanka Kaushalya

- [interface] New default theme pmahomme, dropped
darkblue_orange theme.

- [auth] Allow to pass additional parameters using
signon method.

- [auth] Add example for OpenID authentication using
signon method.

- [dbi] Default to mysqli extension.

- [interface] Add clear button to SQL edit box.

- [core] Update library PHPExcel to version 1.7.6

- [core] Work without mbstring installed.

- [interface] Add links to variables documentation.

- [import] Fix import of utf-8 XML files.

- [auth] Force signon auth on signon URL change.

- [core] Synchronization does not honor

- [synchronization] Data containing single quotes
prevents sync, thanks to jviewer

- [common] Remove the custom color picker feature

- [privileges] Don't fail silently on missing priviledge

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :


Solution :

Update the affected phpMyAdmin package.

Risk factor :

Medium / CVSS Base Score : 6.5
CVSS Temporal Score : 5.7
Public Exploit Available : true

Family: Fedora Local Security Checks

Nessus Plugin ID: 55006 ()

Bugtraq ID: 47943


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now