TYPO3-20081110-1: TYPO3 Security Bulletin

It has been discovered that the extension phpMyAdmin (phpmyadmin) is vulnerable to Cross-Site Scripting.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 4.1.0 and all versions below

Vulnerability Type: Cross-Site Scripting vulnerability

Severity: Medium

References: PMASA-2008-9

Problem Description: Failing to filter user input, the extension is susceptible to Cross-Site Scripting making it possible to execute arbitrary JavaScript. The vendor considers this vulnerability to be serious.

Solution: An updated version 4.1.1 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/phpmyadmin/4.1.1/. Users of the extension are advised to update the extension as soon as possible.

Note: The 3rd party TYPO3 extension phpmyadmin embeds the 3rd party stand alone application phpMyAdmin and makes it available from the TYPO3 backend. Numerous vulnerabilities within the stand alone PHP application phpMyAdmin were reported in the recent past and led to security updates of the TYPO3 extension phpmyadmin (for further details, see bulletins TYPO3-20080924-1, TYPO3-20080916-1, TYPO3-20080701-2). Although the current maintainer of the TYPO3 extension phpmyadmin is monitoring the security announcements of the upstream version actively and immediately provides us with security updates, the TYPO3 Security Team recommends to use the TYPO3 extension phpmyadmin in development environment only. If the functionality of phpMyAdmin is needed on a live site, an alternative could be to use the standalone phpMyAdmin application instead and making sure that its script files are not publicly accessible (Subnet/IP access restriction; accessible by VPN only; etc.).

General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Credits: The TYPO3 Security Team wishes to thank the extension maintainer Andreas Kundoch for fixing the issue by upgrading phpMyAdmin to the latest stable version.