oss-sec mailing list archives
CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 01 Sep 2010 16:16:36 +0200
Hi Steve, vendors, on 2010-08-30 phpMyAdmin published PMASA-2010-6 addressing one XSS: [1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php Summary (from [1]): XSS attack using debugging messages. Description (from [1]): It was possible to conduct a XSS attack using error messages in PHP backtrace. Affected versions (from [1]): For 3.x: versions before 3.3.6 are affected. Branch 2.11.x is not affected by this Upstream commit: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=133a77fac7d31a38703db2099a90c1b49de62e37 phpMyAdmin upstream seems to reference CVE-2010-3056 as CVE id to this flaw. But CVE-2010-3056 was previously assigned to: [2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3056 [3] https://bugzilla.redhat.com/show_bug.cgi?id=625877 [4] http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php which affected both (from [4]): For 2.11.x: versions before 2.11.10.1 are affected. For 3.x: versions before 3.3.5.1 are affected. so this is different issue and new CVE id should be allocated (due different affected versions). Could you please allocate one? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Resposne Team
Current thread:
- CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion) Jan Lieskovsky (Sep 01)