Bug 197575 (CVE-2007-5728)

Summary:	dev-db/phppgadmin <= 4.1.2 login.php XSS (CVE-2007-5728)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	pgsql-bugs, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/25446/
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2007-10-31 00:42:11 UTC

CVE-2007-5728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5728):
  Cross-site scripting (XSS) vulnerability in phpPgAdmin 3.5 to 4.1.1, and
  possibly 4.1.2, allows remote attackers to inject arbitrary web script or
  HTML via certain input available in PHP_SELF in (1) redirect.php, possibly
  related to (2) login.php, different vectors than CVE-2007-2865.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-10-31 00:45:26 UTC

Seems the fix from bug 180133 did not completely clean this, the Secunia advisory is updated to show 4.1.2 vulnerable.

Web-Apps and Postgres, please advise.

Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev

2007-10-31 04:55:09 UTC

4.1.3 has been in the tree for a while and should be stabilized then.

Targets: amd64 hppa ppc sparc x86

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2007-10-31 05:23:14 UTC

Stable for HPPA.

Comment 4 Markus Meier gentoo-dev

2007-11-01 12:35:54 UTC

x86 stable

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2007-11-05 15:52:19 UTC

sparc stable

Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev

2007-11-06 18:04:04 UTC

ppc stable

Comment 7 Alex Howells (RETIRED) gentoo-dev

2007-11-14 03:04:39 UTC

Stable on AMD64 :)

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2007-11-14 17:42:47 UTC

GLSA vote.

I vote NO.

Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-11-14 19:56:26 UTC

no too and closing.