368495 – (CVE-2011-1940) <dev-db/phpmyadmin-3.4.1: Multiple vulnerabilities (CVE-2011-{1940,1941})

Bug 368495 (CVE-2011-1940) - <dev-db/phpmyadmin-3.4.1: Multiple vulnerabilities (CVE-2011-{1940,1941})

Summary: <dev-db/phpmyadmin-3.4.1: Multiple vulnerabilities (CVE-2011-{1940,1941})

Status:	RESOLVED FIXED

Alias:	CVE-2011-1940

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.phpmyadmin.net/home_page/s...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-05-23 20:12 UTC by Alex Legler (RETIRED)
Modified:	2012-02-20 05:36 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2011-05-23 20:12:18 UTC

PMASA-2011-3:
XSS vulnerability on Tracking page

It was possible to create a crafted table name that leads to XSS.
We consider this vulnerability to be serious.

PMASA-2011-4:
URL redirection to untrusted site

It was possible to redirect to an arbitrary, untrusted site, leading to a possible phishing attack.
We consider this vulnerability to be serious.

Comment 1 Alex Legler (RETIRED) archtester

2011-05-23 20:13:31 UTC

Arches, please test and mark stable:
=dev-db/phpmyadmin-3.4.1
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-05-24 11:45:52 UTC

x86 stable

Comment 3 Ian Delaney (RETIRED) gentoo-dev

2011-05-24 13:08:34 UTC

amd64

emerged ok.

Comment 4 Markos Chandras (RETIRED) gentoo-dev

2011-05-24 14:32:09 UTC

amd64 done. Thanks Ian

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2011-05-24 15:26:36 UTC

Stable for HPPA.

Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-05-27 06:27:47 UTC

ppc/ppc64 stable

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2011-05-28 16:57:46 UTC

alpha/sparc stable

Comment 8 Tim Sammut (RETIRED) gentoo-dev

2011-05-28 17:09:59 UTC

Thanks, everyone. GLSA Vote: no.

Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev

2011-10-08 21:29:16 UTC

voting no too, and closing.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2012-02-20 05:36:56 UTC

CVE-2011-1941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1941):
  Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x
  before 3.4.1 allows remote attackers to redirect users to arbitrary web
  sites and conduct phishing attacks via unspecified vectors.

CVE-2011-1940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1940):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x
  before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject
  arbitrary web script or HTML via a crafted table name that triggers improper
  HTML rendering on a Tracking page, related to (1)
  libraries/tbl_links.inc.php and (2) tbl_tracking.php.