Summary: | dev-db/phpmyadmin <2.11.9.4 and <3.1.1.0 Cross-Site Request Forgery Vulnerability (CVE-2008-{5621,5622}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Bruno Buss <bruno.buss> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | stupendoussteve, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Bruno Buss
2008-12-12 19:43:35 UTC
Thanks for the report. Web-apps, please bump. *** Bug 251281 has been marked as a duplicate of this bug. *** This is now assigned CVE-2008-5621 and CVE-2008-5622, if someone would like to update the description and alias. Also, CVE-2008-5621 says it is possible to execute arbitrary code; it may be grounds for changing the severity. CVE-2008-5621: Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code. CVE-2008-5622: Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allow remote attackers to conduct SQL injection attacks via unknown vectors related to the table parameter, a different vector than CVE-2008-5621. CVE-2008-5621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5621): Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code. CVE-2008-5622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5622): Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allow remote attackers to conduct SQL injection attacks via unknown vectors related to the table parameter, a different vector than CVE-2008-5621. dev-db/phpmyadmin-{2.11.9.4,3.1.1} are in the tree. Targets for 2.11.9.4: alpha amd64 hppa ppc ppc64 sparc x86 ppc stable ppc64 done sparc stable amd64 stable Removing amd64 and adding alpha back to CC. Thanks hparker. (In reply to comment #5) > dev-db/phpmyadmin-{2.11.9.4,3.1.1} are in the tree. > > Targets for 2.11.9.4: > > alpha amd64 hppa ppc ppc64 sparc x86 Please describe stabilisation targets as category/package-version-revision atoms - combining all the pieces is messy and error prone. Stable for HPPA: =dev-db/phpmyadmin-2.11.9.4 x86 stable alpha stable GLSA request already in due to bug 237781 and some others. GLSA 200903-32 |