From secunia security advisory at $URL: Description: The vulnerability is caused due to an error within libraries/import/xml.php when processing XML data, which can be exploited to e.g. disclose contents of certain local files and perform certain actions on the local network by sending specially crafted XML data including external entity references. The vulnerability is confirmed in version 3.4.7. Other versions may also be affected. Solution: Not patched atm. (Restrict access to trusted users only)
CVE-2011-4107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107): The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Also CVE-2011-4634 which is described in PMASA-2011-18 (http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php). Issue was corrected in 3.4.8, released 2011-12-01.
Bump and fixing together with bug 395715
Stabilization completed in bug 395715. GLSA Vote: no.
CVE-2011-4634 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.8 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted database name, related to the Database Synchronize panel; (2) a crafted database name, related to the Database rename panel; (3) a crafted SQL query, related to the table overview panel; (4) a crafted SQL query, related to the view creation dialog; (5) a crafted column type, related to the table search dialog; or (6) a crafted column type, related to the create index dialog.
This issue was resolved and addressed in GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml by GLSA coordinator Tim Sammut (underling).
