Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 350300 (CVE-2010-4480) - <dev-db/phpmyadmin-3.4.0: Information Disclosure Vulnerabilities (CVE-2010-{4480,4481})
Summary: <dev-db/phpmyadmin-3.4.0: Information Disclosure Vulnerabilities (CVE-2010-{4...
Alias: CVE-2010-4480
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on: CVE-2011-0986
  Show dependency tree
Reported: 2011-01-01 17:17 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-08 21:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-01-01 17:17:58 UTC
From PMASA-2010-9, CVE-2010-4480:


Unvalidated input on error page.


It was possible to display arbitrary text and link to external site using parameters passed to particular script.

This issue is considered minor, because the only purpose of affected file is to display an error message.
Affected Versions


From PMASA-2010-10, CVE-2010-4481:


Possible information disclosure.


Unauthenticated user was able to display phpinfo output if phpMyAdmin was enabled to show it. 

Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-05-17 16:15:35 UTC
Will be fixed by update to 3.4.0. Stabilization via bug 354227.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:34:48 UTC
Stabilization of a fixed package completed in bug 354227.

GLSA Vote: No.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 18:08:17 UTC
CVE-2010-4481 (
  phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass
  authentication and obtain sensitive information via a direct request to
  phpinfo.php, which calls the phpinfo function.

CVE-2010-4480 (
  error.php in PhpMyAdmin, and other versions before 3.4.0-beta1,
  allows remote attackers to conduct cross-site scripting (XSS) attacks via a
  crafted BBcode tag containing "@" characters, as demonstrated using
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:43:25 UTC
voting no too, and closing.