XSRF/CSRF due to DOM based XSS in the micro history feature

PMASA-2014-10

Announcement-ID: PMASA-2014-10

Date: 2014-09-13

Summary

XSRF/CSRF due to DOM based XSS in the micro history feature

Description

By deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature.

Severity

We consider this vulnerability to be critical.

Affected Versions

Versions 4.0.x (prior to 4.0.10.3), 4.1.x (prior to 4.1.14.4) and 4.2.x (prior to 4.2.8.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.3 or newer, or 4.1.14.4 or newer, or 4.2.8.1 or newer, or apply the patches listed below.

References

Thanks to Olivier Beg (<http://www.olivierbeg.nl>) for reporting the vulnerability.

Assigned CVE ids: CVE-2014-6300

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made to fix this issue:

• 33b39f9f1dd9a4d27856530e5ac004e23b30e8ac

The following commits have been made on the 4.0 branch to fix this issue:

• ab0dba4533f1d01dde43c1864413478c921cfe6b

The following commits have been made on the 4.1 branch to fix this issue:

• 621772aa0d19d5f3ac21af2611c1dbda9b356506

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.