Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 383107 (CVE-2011-3591) - <dev-db/phpmyadmin-3.4.5 Multiple XSS vulnerabilities (CVE-2011-{3591,3592})
Summary: <dev-db/phpmyadmin-3.4.5 Multiple XSS vulnerabilities (CVE-2011-{3591,3592})
Status: RESOLVED FIXED
Alias: CVE-2011-3591
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: A4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-15 14:36 UTC by Sean Amoss (RETIRED)
Modified: 2011-09-30 17:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2011-09-15 14:36:12 UTC
Multiple vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion attacks.

1) Certain input passed to row content after inline editing and saving is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

2) Certain input passed to table, column, and index names is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

The vulnerabilities are reported in versions 3.4.0 through 3.4.4.

Solution
Update to version 3.4.5.

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-09-15 14:56:19 UTC
Arches, please test and mark stable:
=dev-db/phpmyadmin-3.4.5
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 2 Andreas Schürch gentoo-dev 2011-09-15 17:37:09 UTC
x86 stable.
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-15 17:49:06 UTC
amd64 ok
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-16 02:28:35 UTC
amd64: pass
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2011-09-16 11:53:07 UTC
+  16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> phpmyadmin-3.4.5.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in bug #383107.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-16 14:49:41 UTC
Stable for HPPA.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-09-17 16:51:45 UTC
alpha/sparc stable
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-27 18:19:54 UTC
ppc/ppc64 stable, last arch done
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-09-27 18:49:08 UTC
Thanks, folks. Closing noglsa for XSS.