383107 – (CVE-2011-3591) <dev-db/phpmyadmin-3.4.5 Multiple XSS vulnerabilities (CVE-2011-{3591,3592})

Bug 383107 (CVE-2011-3591) - <dev-db/phpmyadmin-3.4.5 Multiple XSS vulnerabilities (CVE-2011-{3591,3592})

Summary: <dev-db/phpmyadmin-3.4.5 Multiple XSS vulnerabilities (CVE-2011-{3591,3592})

Status:	RESOLVED FIXED

Alias:	CVE-2011-3591

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://www.phpmyadmin.net/home_page/s...
Whiteboard:	A4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-09-15 14:36 UTC by Sean Amoss (RETIRED)
Modified:	2011-09-30 17:56 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sean Amoss (RETIRED) gentoo-dev

2011-09-15 14:36:12 UTC

Multiple vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion attacks.

1) Certain input passed to row content after inline editing and saving is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

2) Certain input passed to table, column, and index names is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

The vulnerabilities are reported in versions 3.4.0 through 3.4.4.

Solution
Update to version 3.4.5.

Reproducible: Always

Comment 1 Alex Legler (RETIRED) archtester

2011-09-15 14:56:19 UTC

Arches, please test and mark stable:
=dev-db/phpmyadmin-3.4.5
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 2 Andreas Schürch gentoo-dev

2011-09-15 17:37:09 UTC

x86 stable.

Comment 3 Agostino Sarubbo gentoo-dev

2011-09-15 17:49:06 UTC

amd64 ok

Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-16 02:28:35 UTC

amd64: pass

Comment 5 Tony Vroon (RETIRED) gentoo-dev

2011-09-16 11:53:07 UTC

+  16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> phpmyadmin-3.4.5.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in bug #383107.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2011-09-16 14:49:41 UTC

Stable for HPPA.

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2011-09-17 16:51:45 UTC

alpha/sparc stable

Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-09-27 18:19:54 UTC

ppc/ppc64 stable, last arch done

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2011-09-27 18:49:08 UTC

Thanks, folks. Closing noglsa for XSS.