'Re: [oss-security] CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PM'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PM
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-09-30 17:43:00
Message-ID: ab2adc9a-dfc4-466e-8687-6b1ebbd815d5 () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Sorry this took so long, it's been a wild couple of weeks.

----- Original Message -----
> Hello Josh, Steve, vendors,
> 
>    multiple XSS flaws have been recently reported in the v3.4.4 (and
>    earlier 3.4.X) version of phpMyAdmin (PMASA-2011-14):
> 
> [1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php
> 
> 1) An XSS flaw was found in the way phpMyAdmin processed row content,
> containing JavaScript code, after its inline editing and saving,

Use CVE-2011-3591

> 
> 2) It was found that phpMyAdmin did not properly sanitize the content of
> db, table, and column names prior use of their values.

Use CVE-2011-3592

> 
> A remote attacker could use these flaws to conduct XSS attacks (execute
> arbitrary HTML or web script) by tricking authenticated phpMyAdmin user
> into visiting of a specially-crafted URL.
> 
> References:
> [2] http://secunia.com/advisories/45991/
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=738681

Thanks.

-- 
    JB
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic