An cross-site scripting (XSS) flaw was found in the way phpMyAdmin, the MySQL over WWW administration tool, displayed table names in multi tables printview. A remote attacker, able to create a particular table on the victim's server, could provide a specially-crafted URL, which once visited by valid phpMyAdmin user could lead to arbitrary JavaScript code execution. References: [1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php [2] http://www.phpmyadmin.net/home_page/news.php Upstream patches: [3] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=a0823be05aa5835f207c0838b9cca67d2d9a050a [4] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=4bd27166c314faa37cada91533b86377f4d4d214 [5] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=8ac8328229ae7493d6060b6272578d85879c698d (against the 3.3 branch)
This issue affects the versions of the phpMyAdmin package, as shipped with Fedora release of 14 and 15. -- This issue affects the versions of the phpMyAdmin package, as present within EPEL-6, EPEL-5 and EPEL-4 repositories. Please schedule an update.
Created phpMyAdmin tracking bugs for this issue Affects: fedora-all [bug 725385]