The phpMyAdmin team has published an alert reporting a failure in the "structure snapshot" functionality by not correctly validating the data passed through the table, column and index parameters. A remote attacker could execute JavaScript code through a specially manipulated URL and thus obtain, for example, the session cookie from the administrator.
The victim must use Internet Explorer (versions less than or equal to 8), to execute JavaScript code through the tracking export functionality, (tracking export, in tbl_tracking.php). This appears to be possible because Internet Explorer finishes interpreting filenames in the attached header when it reaches the first semicolon when it tries to determine the content-type. A specially manipulated table name, for example "test.html;", would cause XSS.
The tracking report functionality is also vulnerable to another XSS although in this case, the exploitation implies a valid token to be able to perform the manipulation of the URL parameters. Therefore, the attacker requires access to the victim's database in addition to create or ALTER TABLE permissions. You must also be able to enable tracking functionality.
phpMyAdmin was notified on July 26 and now publishes the solutions. It is recommended to update to versions 3.3.10.4 or 3.4.4, or apply the different patches listed on the phpMyAdmin website.
Source: Hispasec
