CVE-2011-4634

Vulnerability

phpMyAdmin versions 3.4.x prior to 3.4.8 are affected by multiple cross-site scripting (XSS) vulnerabilities, as detailed in [1]. The bugs allow injection of arbitrary web script or HTML via six distinct vectors involving crafted input: (1) a database name processed by the Database Synchronize panel; (2) a database name in the Database rename panel; (3) an SQL query in the table overview panel; (4) an SQL query in the view creation dialog; (5) a column type in the table search dialog; and (6) a column type in the create index dialog [1][2][3][4]. The vulnerable code path is reachable when an authenticated user interacts with the affected panels and supplies unsanitized input.

Exploitation

To exploit any of these vulnerabilities, an attacker requires an authenticated session in phpMyAdmin. The attacker must craft a malicious payload (e.g., containing script tags) that is embedded in a database name, SQL query string, or column type field. When the victim user views or interacts with the corresponding panel (database synchronization, rename, table overview, view creation, table search, or index creation), the injected script executes in the context of the victim's browser session [1]. No additional privileges or special network positions are required beyond authentication.

Impact

Successful exploitation allows the attacker to inject arbitrary web script or HTML, leading to potential disclosure of sensitive session data, manipulation of page content, or redirection to malicious sites. The impact is constrained to the authenticated user's session and browser context; however, an attacker could potentially steal session cookies or perform actions on behalf of the victim within phpMyAdmin [1].

Mitigation

The fix is included in phpMyAdmin version 3.4.8, released on 2011-11-22 [1][2][3][4]. Users should upgrade to 3.4.8 or later. There is no workaround published for versions prior to 3.4.8; as of the publication date (2011-12-22), no KEV listing has been reported.