TYPO3-SA-2009-015: XSS and SQL injection vulnerabilities in extension "phpMyAdmin" (phpmyadmin)

It has been discovered that the extension phpMyAdmin (phpmyadmin) is vulnerable to XSS and SQL injections.

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: Version 4.3.0 and all versions below

Vulnerability Type: Cross-Site scripting and SQL injection

Severity: High

Problem Description: The Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. The SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature. The vendor considers this vulnerability to be serious.

Solution: An updated version 4.5.0 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/view/phpmyadmin/4.5.0/ (It contains the standalone phpMyAdmin version 3.2.2.1). Users of the extension are advised to update the extension as soon as possible.

Note: The 3rd party TYPO3 extension phpmyadmin embeds the 3rd party stand alone application phpMyAdmin and makes it available from the TYPO3 backend. Numerous vulnerabilities within the stand alone PHP application phpMyAdmin were reported in the past and led to security updates of the TYPO3 extension phpmyadmin (for further details, see bulletins TYPO3-20081222-1TYPO3-20081110-1TYPO3-20080924-1TYPO3-20080916-1TYPO3-20080701-2). Although the current maintainer of the TYPO3 extension phpmyadmin is monitoring the security announcements of the upstream version actively and immediately provides us with security updates, the TYPO3 Security Team recommends to use the TYPO3 extension phpmyadmin in development environment only. If the functionality of phpMyAdmin is needed on a live site, an alternative could be to use the standalone phpMyAdmin application instead and making sure that its script files are not publicly accessible (Subnet/IP access restriction; accessible by VPN only; etc.).

For users of old TYPO3 versions running on obsolete PHP4 environments: The extension maintainer provides a specific phpMyAdmin extension branch for users of PHP4 exclusively on his web site. The extension maintainer informed us that there will also be a security update (3.5.0) available for this branch which replaces the used version of standalone phpMyAdmin with version 2.11.9.6.

General advice: Follow the recommendations that are given in the TYPO3 SECURITY Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Credits: The TYPO3 Security Team wishes to thank the extension maintainer Andreas Kundoch for fixing the issue by upgrading phpMyAdmin to the latest stable version.