about phpMyAdmin setup.php XSS vulnerability



Hi,

phpMyAdmin version 2.11.1.1 was released to fix this, along with a security announcement: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5

which contains a mitigating factor:

"We could only trigger it when using Internet Explorer with the 'send URLs as UTF8' setting disabled. The default value of this setting being 'enabled' reduces the impact of this problem."

For distros who prefer a small patch:
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_1/phpMyAdmin/scripts/setup.php?r1=10637&r2=10748&view=patch

Marc Delisle, for the team



Relevant Pages

  • [NT] Microsoft Agent Remote Code Execution (MS07-020)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Outlook Express open HTML e-mail messages in the Restricted sites zone. ... section for more information about Internet Explorer Enhanced Security ...
    (Securiteam)
  • [NT] Vulnerability in Microsoft Agent Allows Code Execution (MS06-068)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... for more information about Internet Explorer Enhanced Security ... Configure Internet Explorer to prompt before running ActiveX Controls ...
    (Securiteam)
  • [NT] Vulnerability in Microsofts HTML Converter Could Allow Code Execution
    ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... Internet Explorer on Windows Server 2003 runs in Enhanced ... all intranet Web sites and all Universal Naming Convention paths ...
    (Securiteam)
  • [NT] Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (MS06-073)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... allow-list for ActiveX controls in Internet Explorer 7. ...
    (Securiteam)
  • [NT] Cumulative Patch for Internet Explorer (MS03-040)
    ... Get your security news from a reliable source. ... all previously released patches for Internet Explorer 5.01, ... * A vulnerability that occurs because Internet Explorer does not properly ... could be possible for an attacker who exploited this vulnerability to run ...
    (Securiteam)