Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 112690 - dev-db/phpmyadmin HTTP Response Splitting vulnerability
Summary: dev-db/phpmyadmin HTTP Response Splitting vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: C4 [noglsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-16 04:34 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-11-21 07:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-16 04:34:35 UTC
phpMyAdmin security announcement PMASA-2005-6 
Announcement-ID: PMASA-2005-6 
 Date: 2005-11-15 
  
Summary: 
 HTTP Response Splitting vulnerability  
Description: 
 Some scripts in phpMyAdmin are vulnerable to an HTTP Response Splitting 
attack.  
  
Severity: 
 We consider these vulnerabilities to be serious. However, they can only be 
triggered on systems running with register_globals = on.  
Affected versions: 
 We did not make an extensive verification on this. Probably all previous 
versions, and version 2.7.0-beta1 are affected.  
Solution: 
 Upgrade to phpMyAdmin 2.6.4-pl4.  
 For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is http://www.phpmyadmin.net/.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-16 04:35:14 UTC
web-apps please bump. 
Comment 2 Martin Holzer (RETIRED) gentoo-dev 2005-11-17 14:09:05 UTC
in cvs
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-17 22:07:25 UTC
Arches please test and mark stable. 
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2005-11-18 07:37:07 UTC
sparc stable.
Comment 5 Mark Loeser (RETIRED) gentoo-dev 2005-11-18 16:55:24 UTC
stable for x86
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-11-19 03:33:05 UTC
stable on hppa
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-11-19 06:45:27 UTC
stable on alpha
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-11-19 11:03:13 UTC
Stable on ppc.
Comment 9 Simon Stelling (RETIRED) gentoo-dev 2005-11-20 13:37:01 UTC
amd64 done, last but not least ;)
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-21 00:11:36 UTC
This one is ready for GLSA decision. 
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-11-21 01:01:25 UTC
I vote no. phpmyadmin isn't for me the best target for XSS or HTTP response
splitting things, as it is typically restricted-access, Intranet-only. This one
also requires register_globals=On...
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-21 07:30:23 UTC
Voting NO and closing.