Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 368495 (CVE-2011-1940) - <dev-db/phpmyadmin-3.4.1: Multiple vulnerabilities (CVE-2011-{1940,1941})
Summary: <dev-db/phpmyadmin-3.4.1: Multiple vulnerabilities (CVE-2011-{1940,1941})
Status: RESOLVED FIXED
Alias: CVE-2011-1940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-23 20:12 UTC by Alex Legler (RETIRED)
Modified: 2012-02-20 05:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2011-05-23 20:12:18 UTC 
PMASA-2011-3:
XSS vulnerability on Tracking page

It was possible to create a crafted table name that leads to XSS.
We consider this vulnerability to be serious.

PMASA-2011-4:
URL redirection to untrusted site

It was possible to redirect to an arbitrary, untrusted site, leading to a possible phishing attack.
We consider this vulnerability to be serious.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-05-23 20:13:31 UTC 
Arches, please test and mark stable:
=dev-db/phpmyadmin-3.4.1
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-24 11:45:52 UTC 
x86 stable
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2011-05-24 13:08:34 UTC 
amd64

emerged ok.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-05-24 14:32:09 UTC 
amd64 done. Thanks Ian
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-24 15:26:36 UTC 
Stable for HPPA.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-27 06:27:47 UTC 
ppc/ppc64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-05-28 16:57:46 UTC 
alpha/sparc stable
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-05-28 17:09:59 UTC 
Thanks, everyone. GLSA Vote: no.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:29:16 UTC 
voting no too, and closing.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:36:56 UTC 
CVE-2011-1941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1941):
  Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x
  before 3.4.1 allows remote attackers to redirect users to arbitrary web
  sites and conduct phishing attacks via unspecified vectors.

CVE-2011-1940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1940):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x
  before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject
  arbitrary web script or HTML via a crafted table name that triggers improper
  HTML rendering on a Tracking page, related to (1)
  libraries/tbl_links.inc.php and (2) tbl_tracking.php.