Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 368495 (CVE-2011-1940) - <dev-db/phpmyadmin-3.4.1: Multiple vulnerabilities (CVE-2011-{1940,1941})
Summary: <dev-db/phpmyadmin-3.4.1: Multiple vulnerabilities (CVE-2011-{1940,1941})
Status: RESOLVED FIXED
Alias: CVE-2011-1940
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-23 20:12 UTC by Alex Legler (RETIRED)
Modified: 2012-02-20 05:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-05-23 20:12:18 UTC
PMASA-2011-3:
XSS vulnerability on Tracking page

It was possible to create a crafted table name that leads to XSS.
We consider this vulnerability to be serious.

PMASA-2011-4:
URL redirection to untrusted site

It was possible to redirect to an arbitrary, untrusted site, leading to a possible phishing attack.
We consider this vulnerability to be serious.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-05-23 20:13:31 UTC
Arches, please test and mark stable:
=dev-db/phpmyadmin-3.4.1
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-24 11:45:52 UTC
x86 stable
Comment 3 Ian Delaney (RETIRED) gentoo-dev 2011-05-24 13:08:34 UTC
amd64

emerged ok.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-05-24 14:32:09 UTC
amd64 done. Thanks Ian
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-24 15:26:36 UTC
Stable for HPPA.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-27 06:27:47 UTC
ppc/ppc64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-05-28 16:57:46 UTC
alpha/sparc stable
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-05-28 17:09:59 UTC
Thanks, everyone. GLSA Vote: no.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:29:16 UTC
voting no too, and closing.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:36:56 UTC
CVE-2011-1941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1941):
  Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x
  before 3.4.1 allows remote attackers to redirect users to arbitrary web
  sites and conduct phishing attacks via unspecified vectors.

CVE-2011-1940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1940):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x
  before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject
  arbitrary web script or HTML via a crafted table name that triggers improper
  HTML rendering on a Tracking page, related to (1)
  libraries/tbl_links.inc.php and (2) tbl_tracking.php.