PMASA-2012-7

Announcement-ID: PMASA-2012-7

Date: 2012-10-12

Summary

Fetching the version information from a non-SSL site is vulnerable to a MITM attack.

Description

To display information about the current phpMyAdmin version on the main page, a piece of JavaScript is fetched from the phpmyadmin.net website in non-SSL mode. A man-in-the-middle could modify this script on the wire to cause mischief.

Severity

We consider this vulnerability to be non critical.

Affected Versions

Versions 3.5.x before 3.5.3 are affected.

Solution

Upgrade to phpMyAdmin 3.5.3 or newer or apply the patches listed below. The fix involves fetching a JSON file rather than a JavaScript file.

References

Thanks to Mike Cardwell for reporting this issue and suggesting workarounds.

Assigned CVE ids: CVE-2012-5368

CWE ids: CWE-661 CWE-300

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements