oss-sec mailing list archives
Re: CVE request: phpmyadmin < 2.11.8
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 4 Aug 2008 14:45:58 -0400 (EDT)
====================================================== Name: CVE-2008-3456 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3456 Reference: MISC:http://yehg.net/lab/pr0js/advisories/Cross-Site_Framing_inphpMyAdmin2.11.7.pdf Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6 Reference: FRSIRT:ADV-2008-2226 Reference: URL:http://www.frsirt.com/english/advisories/2008/2226/references Reference: SECUNIA:31263 Reference: URL:http://secunia.com/advisories/31263 phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack. ====================================================== Name: CVE-2008-3457 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3457 Reference: MISC:http://yehg.net/lab/pr0js/advisories/XSS_inPhpMyAdmin2.11.7.pdf Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6 Reference: FRSIRT:ADV-2008-2226 Reference: URL:http://www.frsirt.com/english/advisories/2008/2226/references Reference: SECUNIA:31263 Reference: URL:http://secunia.com/advisories/31263 Cross-site scripting (XSS) vulnerability in setup.php in phpMyAdmin before 2.11.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted setup arguments. NOTE: this issue can only be exploited in limited scenarios in which the attacker must be able to modify config/config.inc.php.
Current thread:
- CVE request: phpmyadmin < 2.11.8 Hanno Böck (Jul 28)
- Re: CVE request: phpmyadmin < 2.11.8 Steven M. Christey (Aug 04)
- Re: CVE request: phpmyadmin < 2.11.8 Nico Golde (Aug 08)
- Re: CVE request: phpmyadmin < 2.11.8 Steven M. Christey (Aug 12)
- Re: CVE request: phpmyadmin < 2.11.8 Nico Golde (Aug 08)
- Re: CVE request: phpmyadmin < 2.11.8 Steven M. Christey (Aug 04)