Fedora 13 : phpMyAdmin-3.4.1-1.fc13 (2011-7703)

This script is Copyright (C) 2011-2015 Tenable Network Security, Inc.


Synopsis :

The remote Fedora host is missing a security update.

Description :

Welcome to phpMyAdmin 3.4, presenting a new default theme. This
release contains new features, especially :

- User preferences

- Relation schema export to multiple formats

- ENUM/SET editor

- Simplified interface for export/import

- AJAXification of some parts

- Charts

- Visual query builder

and here is the ChangeLog :

Changes for 3.4.1.0 (2011-05-20)

- [interface] Synchronize and already configured host

- [bug] Inline edit and $cfg['PropertiesIconic']

- [patch] Show a translated label

- [navi] Table filter is case sensitive

- [privileges] Revert temporary fix

- [synchronize] Synchronize and user name

- [core] Some browsers report an insecure https
connection

- [security] Make redirector require valid token (see
PMASA-2011-3 and PMASA-2011-4)

Changes for 3.4.0.0 (2011-05-11)

- [view] Enable VIEW rename

- [privileges] Export a user's privileges

- [core] Updated mootools to fix some glitches with
Safari.

- [interface] Add REGEXP ^...$ to select dialog.

- [interface] Add insert ignore option to editing row.

- [interface] Show warning when JavaScript is disabled.

- [edit] Call UUID function separately to show it in
insert.

- [export] Allow export of timestamps in UTC.

- [core] Remove config data from session as it brings
chicken-egg problem.

- [core] Cookie path now honors PmaAbsoluteUri.

- [core] phpMyAdmin honors https in PmaAbsoluteUri.

- [core] Try moving tables by RENAME and fail to
CREATE/INSERT if that fails.

- [core] Force reload js on code change.

- [interface] Do not display long numbers in server
status.

- [edit] Add option to just display insert query.

- [interface] Move SSL status to the end, it is usually
empty.

- [interface] Show numbers of columns in table
structure.

- [inrerface] Add link to reload navigation frame.

- [auth] Signon authentication forwards error message
through session data.

- [interface] Move ^1 to the end of message.

- [interface] Grey out non applicable actions in
structure

- [interface] Allow to create new table from navigation
frame (in light mode).

- [browse] Add direct download of binary fields.

- [browse] Properly display NULL value for BLOB.

- [edit] Allow to set BLOB to/from NULL with
ProtectBinary.

- [edit] Do not default to UNHEX when using file upload.

- [core] Add option to configure session_save_path.

- [interface] Provide links to documentation in
highlighted SQL.

- [interface] It is now possible to bookmark most pages
in JS capable browser.

- [core] Fix SSL detection.

- [doc] Add some hints to chk_rel.php for quick setup.

- [interface] Add class to some elements for easier
theming.

- [doc] Add some interesting configs to
config.sample.inc.php.

- [doc] Added advice to re-login after changing pmadb
settings

- [interface] Prefill 'Copy table to' in
tbl_operations.php, thanks to iinl

- [lang] Add English (United Kingdom) translation,
thanks to Robert Readman.

- [auth] HTTP Basic auth realm name, thanks to Harald
Jenny

- [interface] Do not insert doc links to not formatted
SQL.

- [lang] Chinese Simplified update, thanks to Shanyan
Baishui

- [lang] Turkish update, thanks to Burak Yavuz

- [interface] Focus TEXTAREA 'sql_query' on click on
'SQL' link

- [lang] Uzbek update, thanks to Orzu Samarqandiy

- [import] After import, also list uploaded filename,
thanks to Pavel Konnikov and Herman van Rink

- [structure] Clicking on table name in db Structure
should Browse the table if possible, thanks to
bhdouglass

- [search] New search operators, thanks to Martynas
Mickeviius

- [designer] Colored relations based on the primary key,
thanks to GreenRover

- [core] Provide way for vendors to easily change paths
to config files.

- [interface] Add inline query editing, thanks to
Muhammd Adnan.

- [setup] Allow to configure changes tracking in setup
script.

- [edit] Optionally disable the Type column, thanks to
Brian Douglass

- [edit] Buttons for quicky creating common SQL queries,
thanks to sutharshan.

- [interface] Convert loading of export/import to jQuery
ready event, thanks to sutharshan.

- [edit] CURRENT_TIMESTAMP is also valid for datetime
fields.

- [engines] Fix parsing of PBXT status, thanks to
Madhura Jayaratne.

- [interface] Convert upload progress bar to jQuery,
thanks to Philip Frank.

- [interface] Add JavaScript validation of datetime
input, thanks to Sutharshan Balachandren.

- [interface] Default sort order is now SMART.

- [interface] Fix flipping of headers in non-IE
browsers.

- [interface] Allow to choose servers from configuration
for synchronisation.

- [relation] Improve ON DELETE/ON UPDATE drop-downs

- [relation] Improve labels in relation view

- [interface] Use jQuery calendar dialog, thanks to
Muhammad Adnan.

- [doc] Incorporate synchronisation docs into main
document.

- [core] Include Content Security Policy HTTP headers.

- [CSS] Field attributes use inline CSS

- [interface] Cleanup navigation frame.

- [core] Prevent sending of unnecessary cookies, thanks
to Piotr Przybylski

- [password] Generate password only available if JS is
enabled (fixed for Privileges and Change password)

- [core] RecodingEngine now accepts none as valid
option.

- [core] Dropped AllowAnywhereRecoding configuration
variable.

- [interface] Define tab order in SQL form to allow
easier tab navigation.

- [core] Centralized format string expansion,
@[email protected] are recommended way now, used by file name
templates, default queries, export and title
generating.

- [validator] SQL validator works also with SOAP PHP
extension.

- [interface] Better formatting for SQL validator
results.

- [doc] The linked-tables infrastructure is now called
phpMyAdmin configuration storage.

- [interface] Move drop/empty links from being tabs to
Operations tab.

- [interface] Fixed rendering of error/notice/info
titles background.

- [doc] Language and grammar fixes, thanks to Isaac
Bennetch

- [export] JSON export, thanks to Hauke Henningsen

- [interface] Editor for SET/ENUM fields.

- [interface] Simplified interface to backup/restore.

- [common] Users preferences

- [relations] Dropped WYSIWYG-PDF configuration
variable.

- [relations] Export relations to Dia, SVG and others

- [interface] Added charts to status tab, profiling page
and query results

- [interface] AJAXification on various pages

- [core] Remove last remaining parts of profiling code
which was removed in 2006.

- [parser] Add workaround for MySQL way of handling
backtick.

- [interface] Removed modification options for
information_schema

- [config] Add Left frame table filter visibility config
option, thanks to eesau

- [core] Force generating of new session on login

- [interface] Drop page-break-before as it is useless
for smaller tables.

- [interface] Allow to wrap enum values.

- [interface] Do not automatically mark PDF schema rows
to delete

- [interface] Do not apply LeftFrameDBSeparator on first
character.

- [interface] Column highlighting and marking in table
view

- [common] Visual query builder

- [interface] Prevent long queries from being shown in
confirmation popup

- [navi] Left panel table grouping incorrect, thanks to
garas - garas

- [interface] Avoid double escaping of MySQL errors.

- [interface] Use less noisy message and remove disable
link on server charts and database statistics.

- [relation] When displaying results, show a link to the
foreign table even when phpMyAdmin configuration
storage is not active

- [relation] Foreign key input options

- [export] Better handling of export to PHP array.

- [privileges] No DROP DATABASE warning if you delete a
user

- [interface] Add link to documentation for status
variables.

- [security] Redirect external links to avoid Referer
leakage.

- [interface] Default to not count tables in database.

- [interface] Shortcut for copying table row.

- [auth] Reset user cache on login.

- [interface] Replace hard-coded limit with
$cfg['LimitChars'].

- [interface] Indicate that bookmark is being used on
browse.

- [interface] Indicate shared bookmarks in interface.

- [search] Ajaxify browse and delete criteria in DB
Search, thanks to Thilanka Kaushalya

- [interface] New default theme pmahomme, dropped
darkblue_orange theme.

- [auth] Allow to pass additional parameters using
signon method.

- [auth] Add example for OpenID authentication using
signon method.

- [dbi] Default to mysqli extension.

- [interface] Add clear button to SQL edit box.

- [core] Update library PHPExcel to version 1.7.6

- [core] Work without mbstring installed.

- [interface] Add links to variables documentation.

- [import] Fix import of utf-8 XML files.

- [auth] Force signon auth on signon URL change.

- [core] Synchronization does not honor
AllowArbitraryServer

- [synchronization] Data containing single quotes
prevents sync, thanks to jviewer

- [common] Remove the custom color picker feature

- [privileges] Don't fail silently on missing priviledge
to execute REVOKE ALL PRIVILEGES

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=704171
http://www.nessus.org/u?649afa81

Solution :

Update the affected phpMyAdmin package.

Risk factor :

High

Family: Fedora Local Security Checks

Nessus Plugin ID: 55007 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now