oss-sec mailing list archives

Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14)

From: Josh Bressers <bressers () redhat com>
Date: Fri, 30 Sep 2011 13:43:00 -0400 (EDT)

Sorry this took so long, it's been a wild couple of weeks.

----- Original Message -----

Hello Josh, Steve, vendors,

   multiple XSS flaws have been recently reported in the v3.4.4 (and
   earlier 3.4.X) version of phpMyAdmin (PMASA-2011-14):

[1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-14.php

1) An XSS flaw was found in the way phpMyAdmin processed row content,
containing JavaScript code, after its inline editing and saving,


Use CVE-2011-3591


2) It was found that phpMyAdmin did not properly sanitize the content of
db, table, and column names prior use of their values.


Use CVE-2011-3592


A remote attacker could use these flaws to conduct XSS attacks (execute
arbitrary HTML or web script) by tricking authenticated phpMyAdmin user
into visiting of a specially-crafted URL.

References:
[2] http://secunia.com/advisories/45991/
[3] https://bugzilla.redhat.com/show_bug.cgi?id=738681


Thanks.

-- 
    JB

Current thread:

CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14) Jan Lieskovsky (Sep 15)
- Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14) Steven M. Christey (Sep 15)
- Re: CVE Request --- phpMyAdmin -- Multiple XSS flaws in versions v3.4.0 to v3.4.4 (PMASA-2011-14) Josh Bressers (Sep 30)