When creating a new database, a malicious user can use a client-side Web proxy to place malicious code in the "db" parameter of the POST request. Since db_create.php does not properly sanitize user-supplied input, an administrator could face a persistent XSS attack when the database names are displayed. Sample Exploit Code: db=>%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22> 2.11.2.1 is now out to fix this issue From ChangeLog - (2.11.2.1) fixed possible SQL injection using database name - (2.11.2.1) fixed possible XSS in database name, thanks to Omer Singer, The DigiTrust Group Latest version in portage is 2.11.1.1, here's a full ChangeLog from that version http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
Web-apps, please advise.
This is now CVE-2007-5977 and CVE-2007-5976
2.11.2.2 is now out fixing another XSS issue http://www.nth-dimension.org.uk/pub/NDSA20071119.txt.asc
CVE-2007-6100 to the third issue. Web-apps, please bump this package.
Added phpmyadmin-2.11.2.2 to the tree. Targets: alpha amd64 hppa ppc ppc64 sparc x86
ppc64 stable
x86 stable
amd64 stable
Stable for HPPA.
ppc stable
alpha/sparc stable
removed insecure version from the tree. webapps done here.
time for vote here. I vote NO.
I tend to vote YES.
Bah, wrong bug. Voting NO and closing.
Does not affect current (2008.0) release. Removing release.