Input passed via the "$host" variable within the setup is not properly sanitised before being used. This can be exploited to insert HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. NOTE: Successful exploitation requires that installation best-practices have not been followed and the config directory is left writable. The vulnerability is reported in versions 3.4.x prior to 3.4.9. Solution Upgrade to version 3.4.9 or later. Original Advisory PMASA-2011-19: http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php
There's also http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php: Using crafted url parameters, it was possible to produce XSS on the export panels in the server, database and table sections.
Arches, please test and mark stable: =dev-db/phpmyadmin-3.4.9 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
ppc/ppc64 done
CVE-2011-4782 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4782): Cross-site scripting (XSS) vulnerability in libraries/config/ConfigFile.class.php in the setup interface in phpMyAdmin 3.4.x before 3.4.9 allows remote attackers to inject arbitrary web script or HTML via the host parameter.
alpha/sparc/x86 stable
Thanks, folks. Closing noglsa for XSS.
CVE-2011-4780 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4780): Multiple cross-site scripting (XSS) vulnerabilities in libraries/display_export.lib.php in phpMyAdmin 3.4.x before 3.4.9 allow remote attackers to inject arbitrary web script or HTML via crafted URL parameters, related to the export panels in the (1) server, (2) database, and (3) table sections.
This issue was resolved and addressed in GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml by GLSA coordinator Tim Sammut (underling).