oss-sec mailing list archives
Re: CVE request: phpmyadmin < 2.11.7.1
From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 16 Jul 2008 13:57:34 -0400 (EDT)
On Tue, 15 Jul 2008, Thijs Kinkhorst wrote:
On Tuesday 15 July 2008 21:00, Hanno B??ck wrote:From Changelog: - protection against XSS when register_globals is on and .htaccess has no effect, thanks to Tim StarlingNote: this has already been assigned CVE-2008-2960 following a previous request from you.
PMASA-2008-4, which is CVE-2008-2960, credits Tim Starling, so I'd suspect they are the same.
- (2.11.7.1) [security] XSRF/CSRF by manipulating the db, convcharset and collation_connection parameters, thanks to YGN Ethical Hacker GroupThis still needs one.
====================================================== Name: CVE-2008-3197 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3197 Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-5 Reference: MISC:http://yehg.net/lab/pr0js/advisories/XSRF_CreateDB_inPhpMyAdmin2.11.7.pdf Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2.11.7.1 allows remote attackers to perform unauthorized actions via a link or IMG tag to (1) the "Creating a Database" functionality (db_create.php) and (2) unspecified vectors that modify the connection character set. - Steve
Current thread:
- CVE request: phpmyadmin < 2.11.7.1 Hanno Böck (Jul 15)
- Re: CVE request: phpmyadmin < 2.11.7.1 Thijs Kinkhorst (Jul 16)
- Re: CVE request: phpmyadmin < 2.11.7.1 Hanno Böck (Jul 16)
- Re: CVE request: phpmyadmin < 2.11.7.1 Steven M. Christey (Jul 16)
- Re: CVE request: phpmyadmin < 2.11.7.1 Thijs Kinkhorst (Jul 16)