Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 246831 - <dev-db/phpmyadmin-{2.11.9.4, 3.0.1.1} XSS (CVE-2008-4775)
Summary: <dev-db/phpmyadmin-{2.11.9.4, 3.0.1.1} XSS (CVE-2008-4775)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-15 10:08 UTC by Hanno Böck
Modified: 2009-03-18 22:32 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-11-15 10:08:01 UTC
3.0.1.1 fixes an XSS in phpmyadmin. The vuln description says this only appears with register_globals on, though that is NOT true. Tested that the XSS also works with register_globals off (I've requested the CVE to be changed to reflect that).
Comment 1 Hanno Böck gentoo-dev 2008-11-16 10:30:06 UTC
Status should be ebuild, upstream already released 3.0.1.1, which fixes the issue.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-11-17 04:46:04 UTC
Added 3.0.1.1, removed 3.0.1, unstable on all arches. webapps done.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-04 19:14:55 UTC
According to Secunia, this is also an issue in the 2.x slot.

Ready for GLSA voting.
Since there is already something else for phpmyadmin-2 in the request pool, I'd say YES.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-04 19:15:57 UTC
whiteboard.. sry for the spam
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-05 20:28:52 UTC
YES too, added to existing request.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-18 22:32:13 UTC
GLSA 200903-32