Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 149849 - dev-db/phpmyadmin: XSRF (Cross Site Request Forgery) vulnerabilities
Summary: dev-db/phpmyadmin: XSRF (Cross Site Request Forgery) vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-10-02 06:25 UTC by Matthias Geerdsen (RETIRED)
Modified: 2006-10-18 07:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-02 06:25:33 UTC
hardened php advisory can be found at http://www.hardened-php.net/advisory_072006.130.html

phpmyadmin announcement:

Announcement-ID: PMASA-2006-5
Date: 2006-10-01

Summary:
XSRF (Cross Site Request Forgery) vulnerabilities

Description:
We received a security advisory from Stefan Esser (sesser@hardened-php.net) and we wish to thank him for his work.

It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link.

Severity:
We consider these vulnerabilities to be serious.

Affected versions:
At least versions since 2.8.2.x.

Solution:
Upgrade to phpMyAdmin 2.9.0.1 or newer.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-02 06:30:37 UTC
web-apps, pls bump/patch
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2006-10-02 20:40:33 UTC
in CVS
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-03 07:40:34 UTC
arches, please test dev-db/phpmyadmin-2.9.0.1 and mark stable if possible
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-03 08:59:51 UTC
/me really adds arches now and hides
Comment 5 Renat Lumpau (RETIRED) gentoo-dev 2006-10-03 10:38:09 UTC
hold on a sec, they just released .2. i'll add it tonight and then y'all can stable
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2006-10-03 20:57:23 UTC
.2 in CVS, go for it
Comment 7 Chris Gianelloni (RETIRED) gentoo-dev 2006-10-04 09:25:59 UTC
x86/amd64 done
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2006-10-05 06:42:14 UTC
sparc stable.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2006-10-05 10:42:11 UTC
ppc stable
Comment 10 Thomas Cort (RETIRED) gentoo-dev 2006-10-05 16:48:03 UTC
alpha stable.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2006-10-15 03:11:01 UTC
hppa stable, ready for glsa voting
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-18 05:29:37 UTC
i vote no since the exploitation is pretty hard
Comment 13 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-18 07:10:25 UTC
voting no too -> closing