'Re: [oss-security] CVE request: phppgadmin before 5.0.4 XSS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: phppgadmin before 5.0.4 XSS
From:       Henri Salo <henri () nerv ! fi>
Date:       2012-03-30 8:47:16
Message-ID: 20120330084716.GA16472 () kludge ! henri ! nerv ! fi
[Download RAW message or body]

On Wed, Mar 28, 2012 at 11:09:17PM -0600, Kurt Seifried wrote:
> On 03/28/2012 08:26 AM, Hanno Böck wrote:
> > phppgadmin 5.0.4 fixes an xss, please assign CVE.
> > 
> > https://github.com/phppgadmin/phppgadmin/commit/e92a003624609a445c4cf57c9c3d1fcef0eae47c#diff-0
> >
> >  "Fix XSS in function.php, reported by Mateusz Goik"
> > 
> 
> Please use CVE-2012-1600  for this issue. Is there a link for the code
> change?

"""
Fix XSS in function.php, reported by Mateusz Goik.

I'm not sure why the name and the type the functions were not escaped
*on purpose* here. There's no more reason here than in any other place
with other PostgreSQL objects to not escape the name or the type...
"""

https://github.com/phppgadmin/phppgadmin/commit/74174ad639664b52cc1609ede0af8bc403e98a00

- Henri Salo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic