Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 175847 - dev-db/phpmyadmin Cross-Site Scripting Vulnerabilities (CVE-2007-2245)
Summary: dev-db/phpmyadmin Cross-Site Scripting Vulnerabilities (CVE-2007-2245)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24952/
Whiteboard: B4 [noglsa]
Keywords:
: 177450 179760 179914 (view as bug list)
Depends on:
Blocks: 160337
  Show dependency tree
 
Reported: 2007-04-24 12:52 UTC by Lars Hartmann
Modified: 2007-06-05 18:44 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-04-24 12:52:52 UTC
Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "fieldkey" parameter in browse_foreigners.php and input passed to the "PMA_sanitize()" function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in versions prior to 2.10.1.

Reproducible: Always
Comment 1 Lars Hartmann 2007-04-24 15:32:02 UTC
maintainers - please provide a fix
Comment 2 Lars Hartmann 2007-04-25 17:19:44 UTC
The weaknesses are reported in versions prior to 2.4.34.3.

Solution:
Update to version 2.4.34.3.
Comment 3 Lars Hartmann 2007-04-27 14:03:38 UTC
(In reply to comment #2)
> The weaknesses are reported in versions prior to 2.4.34.3.
> 
> Solution:
> Update to version 2.4.34.3.
> 

This post doesnt belong here, i pasted it into the wrong tab,
sorry
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 14:29:25 UTC
maintainers please advise.
Comment 5 Jakub Moc (RETIRED) gentoo-dev 2007-05-07 11:22:29 UTC
*** Bug 177450 has been marked as a duplicate of this bug. ***
Comment 6 Lars Hartmann 2007-05-15 13:31:45 UTC
maintainers - please advise
Comment 7 Lars Hartmann 2007-05-23 15:37:56 UTC
maintainers - please provide an updated ebuild
Comment 8 Lars Hartmann 2007-05-23 20:58:41 UTC
maintainers - please bump the ebuild
Comment 9 Jakub Moc (RETIRED) gentoo-dev 2007-05-25 15:37:36 UTC
*** Bug 179760 has been marked as a duplicate of this bug. ***
Comment 10 Jakub Moc (RETIRED) gentoo-dev 2007-05-26 19:09:21 UTC
*** Bug 179914 has been marked as a duplicate of this bug. ***
Comment 11 Renat Lumpau (RETIRED) gentoo-dev 2007-05-28 00:54:16 UTC
2.10.1 is in the tree
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-28 06:27:20 UTC
Thx Renat.

Arches please test and mark stable. Target keywords are:

phpmyadmin-2.10.1.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd"
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-28 12:38:29 UTC
sparc stable.
Comment 14 Brent Baude (RETIRED) gentoo-dev 2007-05-28 12:55:38 UTC
ppc64 stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-28 17:01:18 UTC
Stable for HPPA.
Comment 16 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-05-28 18:33:15 UTC
stable on alpha
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-29 05:26:32 UTC
ppc stable
Comment 18 Emanuele Gentili 2007-05-29 06:32:26 UTC
Stable for x86.
Comment 19 Andrej Kacian (RETIRED) gentoo-dev 2007-05-29 22:11:50 UTC
x86 _marked_ stable
Comment 20 Lars Hartmann 2007-05-30 16:30:47 UTC
Thanks everyone for the help.
This one is ready for GLSA decision.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-30 17:23:26 UTC
I vote YES.
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-31 09:26:32 UTC
voting YES too.
Comment 23 Christoph Mende (RETIRED) gentoo-dev 2007-05-31 21:56:56 UTC
Just one thing before you finish voting: amd64 stable
Comment 24 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-01 15:05:12 UTC
i vote no but it's too late :/ 

XSS or information disclosure on a non-tipically internet-oriented web application, i always vote no. But as you want.
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-02 14:27:09 UTC
We only released a couple of XSS GLSAs for phpmyadmin and they both date back years. When voting I was thinking that some web hosts would probably give access to their customers.
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-05 13:40:09 UTC
(In reply to comment #25)
> We only released a couple of XSS GLSAs for phpmyadmin and they both date back
> years. When voting I was thinking that some web hosts would probably give
> access to their customers.
> 

If it's not a permanent XSS (i suppose it is not), the impact is very weak. An attacker would hardly manage to steal the administrator's credentials. The only realistic attack would be sending a crafted URL by mail or chat to an administrator, and ask him to click on it. That does not merit a GLSA imho.
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-05 14:02:54 UTC
If that is the case I don't believe one is necessary too.
Comment 28 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-05 18:44:56 UTC
OK so closing without GLSA, and fixing severity. Feel free to reopen if you disagree.