XSS Vulnerabilities Fixed in phpMyAdmin

The phpMyAdmin developers have released versions 3.4.4 and 3.3.10.4 of the web-based database management tool in order to address several cross-site scripting (XSS) vulnerabilities.

The flaws are all covered in the same advisory because they are located in the same component which handles the tracking feature.

They steam from a lack of input sanitization on the table, column and index names and were discovered by Norman Hippert from The-Wildcat.de.

"This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed," explains Danish vulnerability management vendor Secunia which rates the issues as less critical.

Cross-site scripting vulnerabilities are the result of poor input validation and allow attackers to insert code into the vulnerable pages. They can be of several types, these phpMyAdmin ones being of the most severe kind, called persistent XSS.

In addition to the security content, these new releases also fix a considerable number of stability issues in the parser, config, export, display, navigation, interface, core and usability components.

phpMyAdmin is an open source software package written in PHP which allows MySQL databases to be administered via a web interface. It is popular with webmasters and hosting providers because it is more intuitive than the command line and doesn't require SSH access.

Fortunately, being an administrative tool, phpMyAdmin installations are usually protected and only available to administrators. This limits the number of users that are impacted by such vulnerabilities.

The software is included by default in many Linux distributions so the patches will be ported by the maintainers of those packages. All other users are strongly encouraged to manually upgrade to the latest 3.4.x or 3.3.x versions, as the 2.11.x branch has been discontinued back in July.

The latest version of phpMyAdmin can be downloaded from here.