Description of problem: phpMyAdmin < 2.11.7.1 contains a not clearly documented security bug: "Welcome to phpMyAdmin 2.11.7.1, a security fix version. The security announcement will follow on http://www.phpmyadmin.net." Version-Release number of selected component (if applicable): phpMyAdmin-2.11.7-1 Additional info (http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0): Fixes for 2.11.7.x: - bug #1908719 [interface] New field cannot be auto-increment and primary key - [dbi] Incorrect interpretation for some mysqli field flags - bug #1910621 [display] part 1: do not display a TEXT utf8_bin as BLOB (fixed for mysqli extension only) - [interface] sanitize the after_field parameter, thanks to Norman Hippert - [structure] do not remove the BINARY attribute in drop-down - bug #1955386 [session] Overriding session.hash_bits_per_character - [interface] sanitize the table comments in table print view, thanks to Norman Hippert - bug #1939031 Auto_Increment selected for TimeStamp by Default - patch #1957998 [display] No tilde for InnoDB row counter when we know it for sure, thanks to Vladyslav Bakayev - dandy76 - bug #1955572 [display] alt text causes duplicated strings - bug #1762029 [interface] Cannot upload BLOB into existing row - bug #1981043 [export] HTML in exports getting corrupted, thanks to Jason Judge - jasonjudge - bug #1936761 [interface] BINARY not treated as BLOB: update/delete issues - protection against XSS when register_globals is on and .htaccess has no effect, thanks to Tim Starling - bug #1996943 [export] Firefox 3 and .sql.gz (corrupted); detect Gecko 1.9, thanks to Juergen Wind - (2.11.7.1) [security] XSRF/CSRF by manipulating the db, convcharset and collation_connection parameters, thanks to YGN Ethical Hacker Group
phpMyAdmin-2.11.7.1-1.fc8 has been submitted as an update for Fedora 8
phpMyAdmin-2.11.7.1-1.fc9 has been submitted as an update for Fedora 9
CVE-2008-3197: Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2.11.7.1 allows remote attackers to perform unauthorized actions via a link or IMG tag to (1) the "Creating a Database" functionality (db_create.php) and (2) unspecified vectors that modify the connection character set. Upstream advisory: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-5
phpMyAdmin-2.11.7.1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-2.11.7.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.