phpMyAdmin "cookie.auth.lib.php" and "error.php" Cross Site Scripting

[TJ]

* Technical Description *

Two vulnerabilities were identified in phpMyAdmin, which may be exploited by malicious users to conduct cross site scripting attacks.

The first flaw is due to an input validation error in the "error.php" script that does not properly filter a specially crafted "error" parameter, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser.

The second issue is due to an input validation error in the "libraries/auth/cookie.auth.lib.php" script that does not properly filter specially crafted parameters, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser.

 * Affected Products *

phpMyAdmin versions prior to 2.6.4-rc1

 * Solution *

Upgrade to phpMyAdmin version 2.6.4-rc1 :
http://www.phpmyadmin.net/home_page/downloads.php

 * References *

http://www.frsirt.com/english/advisories/2005/1556
http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
http://sourceforge.net/tracker/index.php?func=detail&aid=1265740&group_id=23067&atid=377408
http://sourceforge.net/tracker/index.php?func=detail&aid=1240880&group_id=23067&atid=377408