Upstream phpmyadmin has two new XSS vulnerabilities. These are patched in version 18.104.22.168.
Reproducible: Didn't try
Welcome to phpMyAdmin 22.214.171.124, a security release.
- [security] Remote code execution (preg_replace), reported by Janek Vind
- [security] Locally Saved SQL Dump File Multiple File Extension Remote Code
Execution, reported by Janek Vind (see PMASA-2013-3)
Commits for the branch:
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir
directory is configured, allows remote authenticated users to execute
arbitrary code by using a double extension in the filename of an export
file, leading to interpretation of this file as an executable file by the
Apache HTTP Server, as demonstrated by a .php.sql filename.
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote
authenticated users to execute arbitrary code via a /e\x00 sequence, which
is not properly handled before making a preg_replace function call within
the "Replace table prefix" feature.
Bug 468516 is not a blocker: this can be fixed with 126.96.36.199.
GLSA vote: yes
GLSA with 479870, 478696, 465420
This issue was resolved and addressed in
GLSA 201311-02 at http://security.gentoo.org/glsa/glsa-201311-02.xml
by GLSA coordinator Sergey Popov (pinkbyte).