|Summary:||CVE-2011-3598 phpPgAdmin: Multiple XSS flaws fixed in v5.0.3|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||devrim, dyoung, john.julien.qso5, vdanen|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||743207|
Description Jan Lieskovsky 2011-10-04 08:27:08 UTC
Multiple cross-site scripting (XSS) flaws were reported in phpPgAdmin: 1) the 'title' argument of a particular web page was not sanitized properly prior displaying the page header, 2) the return ULR ('return_url') and return link name ('return_desc') were not sanitized properly prior displaying the requested page data. A remote attacker could provide a specially-crafted URL, which once visited by an unsuspecting phpPgAdmin user could lead to arbitrary HTML or web script execution. References:  https://secunia.com/advisories/46248/  https://bugs.gentoo.org/show_bug.cgi?id=385505  http://phppgadmin.sourceforge.net/doku.php?id=download  http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40free.fr&forum_name=phppgadmin-news Upstream patch:  https://github.com/phppgadmin/phppgadmin/commit/1df248203de055f97e092b50b1dd9643ccb73842
Comment 1 Jan Lieskovsky 2011-10-04 08:32:05 UTC
CVE Request:  http://www.openwall.com/lists/oss-security/2011/10/04/1
Comment 2 Jan Lieskovsky 2011-10-04 08:34:53 UTC
The following phpPgAdmin package updates have been scheduled to correct these flaws in particular releases of Fedora and in the following EPEL repositories versions: 1) phpPgAdmin-5.0.3-1.fc15 for Fedora-15, 2) phpPgAdmin-5.0.3-1.fc14 for Fedora-14, 3) phpPgAdmin-5.0.3-1.el5 for EPEL-5, 4) phpPgAdmin-5.0.3-1.el6 for EPEL-6. Once the updates have passed the required level of testing, they will be pushed to the -stable repositories.
Comment 3 Jan Lieskovsky 2011-10-04 08:42:38 UTC
These issues affect the version of the phpPgAdmin package, as present within EPEL-4 repository. Please schedule an update with the correction.
Comment 4 Jan Lieskovsky 2011-10-04 08:43:50 UTC
Created phpPgAdmin tracking bugs for this issue Affects: epel-4 [bug 743207]
Comment 5 Devrim Gündüz 2011-10-04 14:51:25 UTC
I just pushed all releases.
Comment 6 Vincent Danen 2011-10-04 19:19:25 UTC
This issue has been assigned the name CVE-2011-3598: http://www.openwall.com/lists/oss-security/2011/10/04/10
Comment 7 Jan Lieskovsky 2011-10-05 09:50:20 UTC
(In reply to comment #5) > I just pushed all releases. Thanks Devrim, appreciated.
Comment 8 Jan Lieskovsky 2011-10-05 09:55:36 UTC
The complete list of phpPgAdmin package updates, which contain fix for these issues: 1) phpPgAdmin-5.0.3-1.fc14, 2) phpPgAdmin-5.0.3-1.fc15, 3) phpPgAdmin-5.0.3-1.fc16, 4) phpPgAdmin-5.0.3-1.el4, 5) phpPgAdmin-5.0.3-1.el5, 6) phpPgAdmin-5.0.3-1.el6.
Comment 9 Fedora Update System 2011-10-13 00:51:24 UTC
phpPgAdmin-5.0.3-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2011-10-13 00:51:56 UTC
phpPgAdmin-5.0.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2011-10-13 04:38:36 UTC
phpPgAdmin-5.0.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2011-10-24 15:38:20 UTC
phpPgAdmin-5.0.3-1.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2011-10-24 15:38:44 UTC
phpPgAdmin-5.0.3-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2011-10-24 15:39:08 UTC
phpPgAdmin-5.0.3-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Dan Young 2011-10-27 17:10:38 UTC
Please note that phpPgAdmin ≥ 5.0 requires PHP version 5, which is not present in EL4. The update in the EPEL 4 repository breaks those EL4 installs.