Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 335490 (CVE-2010-3056)

Summary: <dev-db/phpmyadmin-3.3.6: Error message XSS (CVE-2010-{2958,3056})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 336462    
Bug Blocks: 302745    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-01 09:25:53 UTC 
From $URL:

It was possible to conduct a XSS attack using error messages in PHP backtrace.

Affected Versions

For 3.x: versions before 3.3.6 are affected.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-01 09:27:34 UTC 
Arches, please test and mark stable:
=dev-db/phpmyadmin-3.3.6
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2010-09-03 12:40:41 UTC 
x86 stable
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2010-09-03 15:23:01 UTC 
amd64 done
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 22:30:42 UTC 
CVE-2010-3056 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3056):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
  2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers
  to inject arbitrary web script or HTML via vectors related to (1)
  db_search.php, (2) db_sql.php, (3) db_structure.php, (4)
  js/messages.php, (5) libraries/common.lib.php, (6)
  libraries/database_interface.lib.php, (7)
  libraries/dbi/mysql.dbi.lib.php, (8)
  libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10)
  libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12)
  server_databases.php, (13) server_privileges.php, (14)
  setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17)
  tbl_sql.php.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:58:35 UTC 
ppc64 done
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-09 14:23:47 UTC 
Third time's the charm... We have yet another XSS fixed in 3.3.7.

Remaining arches, please go on stabilizing in bug 336462. Thanks.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2010-09-25 16:36:48 UTC 
CVE-2010-2958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2958):
  Cross-site scripting (XSS) vulnerability in libraries/Error.class.php in
  phpMyAdmin 3.x before 3.3.6 allows remote attackers to inject arbitrary web
  script or HTML via vectors related to a PHP backtrace and error messages
  (aka debugging messages), a different vulnerability than CVE-2010-3056.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-10-22 17:30:11 UTC 
Affected ebuilds were removed from the tree.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-01-04 23:41:45 UTC 
This issue was resolved and addressed in
 GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml
by GLSA coordinator Tim Sammut (underling).