phpMyAdmin 3.4.9 Closes Two Cross-Site Scripting Vulnerabilities

The 3.4.9 variant of the popular open source database administration tool, phpMyAdmin, comes with a couple of security fixes which patch up some flaws that could have allowed a cybercriminal to launch cross-site scripting attacks.

According to the release notes, an XSS flaw existed in the setup interface if specially crafted values were entered. Also, by using malicious URL parameters, it was possible to produce XSS on the export panels in the server, database and table sections.

An attack using the XSS in export would be hard to achieve, especially since it would require the user to be logged in. On the other hand, the hole in the setup partly relies on the fact that the config directory exists and is writeable, but the documentation warns customers not to leave it so.

Versions 3.4.x are affected and even though the vulnerabilities are considered to be non-critical, users are advised to upgrade to phpMyAdmin 3.4.9.

phpMyAdmin 3.4.9 is available for download here.