oss-sec mailing list archives

CVE Request -- phpMyAdmin (x < v3.3.7) -- XSS in setup script (PMASA-2010-7)

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 08 Sep 2010 15:32:51 +0200

Hello Steve, vendors,

  phpMyAdmin today announced PMASA-2010-7, addressing one XSS issue:
  [1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php

  More from [1]:
  Summary:               XSS attack on setup script
  Description:           It was possible to conduct a XSS attack using spoofed request to setup script.
  Affected versions:     For 3.x: versions before 3.3.7 are affected.
  Unaffected versions:   Branch 2.11.x is not affected by this.
  Upstream changeset:    
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=73ce5705bd1e0b62060f75702d62f88247ce09dd
  Credit:                Upstream acknowledges the Tenable Network Security team as the original reporter.

  Further references:
  [2] http://secunia.com/advisories/41210/
  [3] https://bugzilla.redhat.com/show_bug.cgi?id=631824

Upstream references CVE-2010-2958 as CVE id for this issue. But it was allocated for PMASA-2010-6:
[4] http://www.openwall.com/lists/oss-security/2010/09/01/3
[5] http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php

So could you allocate a new one for PMASA-2010-7?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- phpMyAdmin (x < v3.3.7) -- XSS in setup script (PMASA-2010-7) Jan Lieskovsky (Sep 08)
- Re: CVE Request -- phpMyAdmin (x < v3.3.7) -- XSS in setup script (PMASA-2010-7) Steven M. Christey (Sep 08)