Version 3.4.9 of phpMyAdmin has been released, closing two security holes in the open source database administration tool. The update fixes vulnerabilities in the phpMyAdmin setup interface and the export panels in the server, database and table sections that could be exploited for cross-site scripting (XSS) attacks.

All 3.4.x versions up to and including 3.4.8 are affected – upgrading to 3.4.9 corrects the issues. Alternatively, patches are provided. The new release also fixes nine other bugs related to navigation, the user interface and the edit functionality.

A full list of changes can be found in the release notes and in the project's security advisories. Version 3.4.9 of phpMyAdmin is available to download from the project's site. Hosted on SourceForge, phpMyAdmin source code is licensed under the GPLv2.

See also:

XSS in export, a phpMyAdmin security advisory.

XSS in setup, a phpMyAdmin security advisory.

(crve)