Summary: | dev-db/phpmyadmin Cross-Site Scripting Vulnerabilities (CVE-2007-2245) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Lars Hartmann <lars> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | citybird, ian, mysql-bugs, scytheman666, sgtphou, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/24952/ | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 160337 |
Description
Lars Hartmann
2007-04-24 12:52:52 UTC
maintainers - please provide a fix The weaknesses are reported in versions prior to 2.4.34.3. Solution: Update to version 2.4.34.3. (In reply to comment #2) > The weaknesses are reported in versions prior to 2.4.34.3. > > Solution: > Update to version 2.4.34.3. > This post doesnt belong here, i pasted it into the wrong tab, sorry maintainers please advise. *** Bug 177450 has been marked as a duplicate of this bug. *** maintainers - please advise maintainers - please provide an updated ebuild maintainers - please bump the ebuild *** Bug 179760 has been marked as a duplicate of this bug. *** *** Bug 179914 has been marked as a duplicate of this bug. *** 2.10.1 is in the tree Thx Renat. Arches please test and mark stable. Target keywords are: phpmyadmin-2.10.1.ebuild:KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86 ~x86-fbsd" sparc stable. ppc64 stable Stable for HPPA. stable on alpha ppc stable Stable for x86. x86 _marked_ stable Thanks everyone for the help. This one is ready for GLSA decision. I vote YES. voting YES too. Just one thing before you finish voting: amd64 stable i vote no but it's too late :/ XSS or information disclosure on a non-tipically internet-oriented web application, i always vote no. But as you want. We only released a couple of XSS GLSAs for phpmyadmin and they both date back years. When voting I was thinking that some web hosts would probably give access to their customers. (In reply to comment #25) > We only released a couple of XSS GLSAs for phpmyadmin and they both date back > years. When voting I was thinking that some web hosts would probably give > access to their customers. > If it's not a permanent XSS (i suppose it is not), the impact is very weak. An attacker would hardly manage to steal the administrator's credentials. The only realistic attack would be sending a crafted URL by mail or chat to an administrator, and ask him to click on it. That does not merit a GLSA imho. If that is the case I don't believe one is necessary too. OK so closing without GLSA, and fixing severity. Feel free to reopen if you disagree. |