Bug 508879 (CVE-2009-2284)

Summary: CVE-2009-2284 phpMyAdmin: XSS: Insufficient output sanitizing in bookmarks (PMASA-2009-5)
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: mmcgrath
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/security/PMASA-2009-5.php
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-24 23:12:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2009-06-30 11:48:21 UTC 
Description of problem:
Welcome to the first security release for phpMyAdmin 3.2.0. Details will
follow on http://phpmyadmin.net in the Security section (see PMASA-2009-5).

Version-Release number of selected component (if applicable):
For 3.x: versions before 3.2.0.1.

-> Affects all active Fedora branches.
Comment 1 Robert Scheck 2009-06-30 12:16:36 UTC 
Package: phpMyAdmin-3.2.0.1-1.fc12 Tag: dist-f12 Status: complete
Package: phpMyAdmin-3.2.0.1-1.fc11 Tag: dist-f11-updates-candidate Status: complete
Package: phpMyAdmin-3.2.0.1-1.fc10 Tag: dist-f10-updates-candidate Status: complete
Package: phpMyAdmin-3.2.0.1-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Comment 2 Tomas Hoger 2009-07-01 12:42:54 UTC 
CVE-2009-2284:
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
allows remote attackers to inject arbitrary web script or HTML via a
crafted SQL bookmark.

http://www.phpmyadmin.net/home_page/security/PMASA-2009-5.php
Comment 3 Tomas Hoger 2009-07-01 14:04:10 UTC 
Robert, does this need fixing in EPEL (with 2.x phpMyAdmin)?
Comment 4 Tomas Hoger 2009-07-01 14:19:52 UTC 
Ah, upstream advisory says "previous versions are not.".  Change to sql.php is in the code not in 2.x, change in libraries/common.lib.php seems applicable, but given the upstream statement, probably not usable without the sql.php problem...
Comment 5 Fedora Update System 2009-07-03 19:39:13 UTC 
phpMyAdmin-3.2.0.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-07-03 19:42:30 UTC 
phpMyAdmin-3.2.0.1-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-07-03 19:42:46 UTC 
phpMyAdmin-3.2.0.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Robert Scheck 2009-07-24 09:37:21 UTC 
Thomas, isn't that done and can be closed?
Comment 9 Tomas Hoger 2009-07-24 10:03:51 UTC 
If not fix is needed for 2.x in EPEL, sure, feel free to close this.
Comment 10 Robert Scheck 2009-07-24 23:12:52 UTC 
Closing, because according to upstream advisory:

For 2.11.x: versions are not affected.
For 3.x: All 3.x releases on which the "bookmarks" feature is active are affected.