TYPO3-20081222-1: TYPO3 Security Bulletin

It has been discovered that the extension phpMyAdmin (phpmyadmin) is vulnerable to SQL injections via XSRF.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 4.1.1 and all versions below

Vulnerability Type: SQL injection through XSRF

Severity: Low

References: PMASA-2008-10

Problem Description: A logged-in backend user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter. The vendor considers this vulnerability to be serious.

Solution: An updated version 4.2.0 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/phpmyadmin/4.2.0/ (It contains the standalone phpMyAdmin version 3.1.1). Users of the extension are advised to update the extension as soon as possible.

Note: The 3rd party TYPO3 extension phpmyadmin embeds the 3rd party stand alone application phpMyAdmin and makes it available from the TYPO3 backend. Numerous vulnerabilities within the stand alone PHP application phpMyAdmin were reported in the recent past and led to security updates of the TYPO3 extension phpmyadmin (for further details, see bulletins TYPO3-20081110-1, TYPO3-20080924-1, TYPO3-20080916-1, TYPO3-20080701-2). Although the current maintainer of the TYPO3 extension phpmyadmin is monitoring the security announcements of the upstream version actively and immediately provides us with security updates, the TYPO3 Security Team recommends to use the TYPO3 extension phpmyadmin in development environment only. If the functionality of phpMyAdmin is needed on a live site, an alternative could be to use the standalone phpMyAdmin application instead and making sure that its script files are not publicly accessible (Subnet/IP access restriction; accessible by VPN only; etc.).

For users of old TYPO3 versions running on obsolete PHP4 environments: The extension maintainer provides a specific phpMyAdmin extension branch for users of PHP4 exclusively on his web site. The extension maintainer informed us that there will also be a security update (3.4.3) available for this branch which replaces the used version of standalone phpMyAdmin with version

General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Credits: The TYPO3 Security Team wishes to thank the extension maintainer Andreas Kundoch for fixing the issue by upgrading phpMyAdmin to the latest stable version.