Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 387413 (CVE-2011-3646) - <dev-db/phpmyadmin-3.4.6: XSS and path disclosure vulnerabilities (CVE-2011-{3646,4064})
Summary: <dev-db/phpmyadmin-3.4.6: XSS and path disclosure vulnerabilities (CVE-2011-{...
Status: RESOLVED FIXED
Alias: CVE-2011-3646
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46431/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-17 14:23 UTC by Agostino Sarubbo
Modified: 2012-01-04 23:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-10-17 14:23:56 UTC
From secunia security advisory at $URL:

Certain input passed to setup.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
 
 NOTE: Successful exploitation requires that installation best-practices have not been followed and the config directory is left writable.
 
 The vulnerability is reported in version 3.4.5. Other versions may also be affected.

Solution:
Update to version 3.4.6 or apply patches.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-10-17 17:30:19 UTC
This appears to be http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php which references CVE-2011-4064 instead of CVE-2011-3646 as listed in the secunia advisory. Instead I think CVE-2011-3646 is covered by http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php.

Let's make this bug for both issues, both are reportedly fixed in 3.4.6.

CVE-2011-3646
http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php

CVE-2011-4064
http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-10-18 09:40:06 UTC
Arches, please test and mark stable:
=dev-db/phpmyadmin-3.4.6
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

By the way: There wasn't any decision on the discussion non-compiled packages and how to stabilize them, was there? This is a pure PHP package, and I've been just copying ebuilds for the last few releases. Since it has rather frequent updates, if any arch wants me to directly stabilize it at the next security bump, let me know.
Comment 3 Agostino Sarubbo gentoo-dev 2011-10-18 12:37:18 UTC
looks perfect on a server, amd64 ok
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2011-10-18 15:02:32 UTC
amd64; ok
Comment 5 Jeroen Roovers gentoo-dev 2011-10-19 00:21:40 UTC
Stable for HPPA.
Comment 6 Tony Vroon gentoo-dev 2011-10-19 11:11:35 UTC
+  19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> phpmyadmin-3.4.6.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #387413.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-22 07:25:47 UTC
x86 stable
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-22 16:58:50 UTC
ppc/ppc64 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-11-05 19:27:55 UTC
alpha/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-11-06 16:34:44 UTC
Thanks, folks. GLSA Vote: no.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:28:26 UTC
CVE-2011-4064 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064):
  Cross-site scripting (XSS) vulnerability in the setup interface in
  phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to inject arbitrary
  web script or HTML via a crafted value.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-11-18 06:17:05 UTC
CVE-2011-3646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646):
  phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers
  to obtain sensitive information via an array-typed js_frame parameter to
  phpmyadmin.css.php, which reveals the installation path in an error message.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-01-04 23:42:19 UTC
This issue was resolved and addressed in
 GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml
by GLSA coordinator Tim Sammut (underling).