[ GLSA 200411-36 ] phpMyAdmin: Multiple XSS vulnerabilities

From: Luke Macken (lewk_at_gentoo.org)
Date: 11/27/04

  • Next message: Heikki Toivonen: "Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception"
    To: gentoo-announce@gentoo.org
    Date: Sat, 27 Nov 2004 08:57:42 -0500
    
    
    

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200411-36
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Severity: Low
         Title: phpMyAdmin: Multiple XSS vulnerabilities
          Date: November 27, 2004
          Bugs: #71819
            ID: 200411-36

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    phpMyAdmin is vulnerable to cross-site scripting attacks.

    Background
    ==========

    phpMyAdmin is a tool written in PHP intended to handle the
    administration of MySQL databases from a web-browser.

    Affected packages
    =================

        -------------------------------------------------------------------
         Package / Vulnerable / Unaffected
        -------------------------------------------------------------------
      1 dev-db/phpmyadmin < 2.6.0_p3 >= 2.6.0_p3

    Description
    ===========

    Cedric Cochin has discovered multiple cross-site scripting
    vulnerabilities in phpMyAdmin. These vulnerabilities can be exploited
    through the PmaAbsoluteUri parameter, the zero_rows parameter in
    read_dump.php, the confirm form, or an error message generated by the
    internal phpMyAdmin parser.

    Impact
    ======

    By sending a specially-crafted request, an attacker can inject and
    execute malicious script code, potentially compromising the victim's
    browser.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All phpMyAdmin users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.0_p3"

    References
    ==========

      [ 1 ] CAN-2004-1055
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1055
      [ 2 ] PMASA-2004-3
            http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3
      [ 3 ] netVigilance Advisory
            http://www.netvigilance.com/html/advisory0005.htm

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

      http://security.gentoo.org/glsa/glsa-200411-36.xml

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    License
    =======

    Copyright 2004 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/2.0

    
    



  • Next message: Heikki Toivonen: "Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception"

    Relevant Pages

    • [Full-Disclosure] [ GLSA 200411-36 ] phpMyAdmin: Multiple XSS vulnerabilities
      ... phpMyAdmin is vulnerable to cross-site scripting attacks. ... Cedric Cochin has discovered multiple cross-site scripting ... These vulnerabilities can be exploited ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Full-Disclosure)
    • [ GLSA 200411-36 ] phpMyAdmin: Multiple XSS vulnerabilities
      ... phpMyAdmin is vulnerable to cross-site scripting attacks. ... Cedric Cochin has discovered multiple cross-site scripting ... These vulnerabilities can be exploited ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Bugtraq)
    • [Full-disclosure] [ MDVSA-2013:112 ] otrs
      ... Updated otrs package fixes security vulnerabilities: ... Multiple cross-site scripting vulnerabilities in Open Ticket ... Cross-site scripting vulnerability in Open Ticket Request System ... All packages are signed by Mandriva for security. ...
      (Full-Disclosure)
    • [ MDVSA-2013:112 ] otrs
      ... Updated otrs package fixes security vulnerabilities: ... Multiple cross-site scripting vulnerabilities in Open Ticket ... Cross-site scripting vulnerability in Open Ticket Request System ... All packages are signed by Mandriva for security. ...
      (Bugtraq)
    • Mac Security: Weekly Summary 2006-04-13
      ... This is another snoozy week for Mac OS X security. ... ramifications of installing Windows on your Macintel machine. ... Six new Windows related vulnerabilities. ... Microsoft FrontPage Server Extensions Cross-Site Scripting ...
      (comp.sys.mac.advocacy)