Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 133204 - dev-db/phpmyadmin XSS vulnerabilities (CVE-2006-2031)
Summary: dev-db/phpmyadmin XSS vulnerabilities (CVE-2006-2031)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B4 [noglsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-13 06:58 UTC by Jakub Moc (RETIRED)
Modified: 2006-05-17 04:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Moc (RETIRED) gentoo-dev 2006-05-13 06:58:41 UTC
Name -	CVE-2006-2031 (under review)

Status - Candidate

Description - 	Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin 2.8.0.3, 2.8.0.2, 2.8.1-dev, and 2.9.0-dev allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

References 	

    * MISC:http://pridels.blogspot.com/2006/04/phpmyadmin-xss-vuln.html
    * SECUNIA:19659
    * URL:http://secunia.com/advisories/19659 

---

Announcement-ID: PMASA-2006-2
Date: 2006-05-12

Summary:
XSS vulnerabilities

Description:
1. It was possible to conduct an XSS attack with a crafted lang or theme parameter.
2. The db parameter was also vulnerable to an XSS attack.

Severity:
We consider these vulnerabilities to be serious.

Affected versions:
[1] All 2.8.0.x releases before 2.8.0.4 are affected, previous versions are not.
[2] Some releases before 2.8.0.4 are affected (2.6.2 tested vulnerable).
Solution:
Upgrade to phpMyAdmin 2.8.0.4.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2031
[2] We wish to thank Sven Vetsch/Disenchant for informing us in a responsible manner. His site is http://www.disenchant.ch.

For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-13 07:58:09 UTC
web-apps, please provide fixed ebuilds, thanks
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2006-05-13 09:04:40 UTC
In CVS
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-13 09:18:57 UTC
arches, please test and stable 2.0.8.4, thanks in advance.
Comment 4 Mark Loeser (RETIRED) gentoo-dev 2006-05-13 13:40:28 UTC
x86 done
Comment 5 Jason Wever (RETIRED) gentoo-dev 2006-05-13 15:02:46 UTC
SPARC me amadeus
Comment 6 Thomas Cort (RETIRED) gentoo-dev 2006-05-14 09:54:26 UTC
alpha and amd64 stable.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-05-14 09:58:47 UTC
ppc stable
Comment 8 René Nussbaumer (RETIRED) gentoo-dev 2006-05-15 10:39:18 UTC
stable on hppa
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-05-16 09:23:38 UTC
Ready for GSLA vote, I tend to vote no but we did issue GLSAs for worse in the past.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-16 12:02:35 UTC
Sure we did issue GLSAs in the past for worse things than XSS issues ;-)

I tend to vote no too.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-17 02:34:27 UTC
XSS issue on a web-app, most of the time non-typically internet-oriented.

I vote No.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-17 04:47:04 UTC
no++; closing, feel free to reopen in case you disagree.