Bug 508879 - (CVE-2009-2284) CVE-2009-2284 phpMyAdmin: XSS: Insufficient output sanitizing in bookmarks (PMASA-2009-5)
CVE-2009-2284 phpMyAdmin: XSS: Insufficient output sanitizing in bookmarks (P...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://www.phpmyadmin.net/home_page/s...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-30 07:48 EDT by Robert Scheck
Modified: 2009-07-24 19:12 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-24 19:12:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2009-06-30 07:48:21 EDT
Description of problem:
Welcome to the first security release for phpMyAdmin 3.2.0. Details will
follow on http://phpmyadmin.net in the Security section (see PMASA-2009-5).

Version-Release number of selected component (if applicable):
For 3.x: versions before 3.2.0.1.

-> Affects all active Fedora branches.
Comment 1 Robert Scheck 2009-06-30 08:16:36 EDT
Package: phpMyAdmin-3.2.0.1-1.fc12 Tag: dist-f12 Status: complete
Package: phpMyAdmin-3.2.0.1-1.fc11 Tag: dist-f11-updates-candidate Status: complete
Package: phpMyAdmin-3.2.0.1-1.fc10 Tag: dist-f10-updates-candidate Status: complete
Package: phpMyAdmin-3.2.0.1-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Comment 2 Tomas Hoger 2009-07-01 08:42:54 EDT
CVE-2009-2284:
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
allows remote attackers to inject arbitrary web script or HTML via a
crafted SQL bookmark.

http://www.phpmyadmin.net/home_page/security/PMASA-2009-5.php
Comment 3 Tomas Hoger 2009-07-01 10:04:10 EDT
Robert, does this need fixing in EPEL (with 2.x phpMyAdmin)?
Comment 4 Tomas Hoger 2009-07-01 10:19:52 EDT
Ah, upstream advisory says "previous versions are not.".  Change to sql.php is in the code not in 2.x, change in libraries/common.lib.php seems applicable, but given the upstream statement, probably not usable without the sql.php problem...
Comment 5 Fedora Update System 2009-07-03 15:39:13 EDT
phpMyAdmin-3.2.0.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2009-07-03 15:42:30 EDT
phpMyAdmin-3.2.0.1-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-07-03 15:42:46 EDT
phpMyAdmin-3.2.0.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Robert Scheck 2009-07-24 05:37:21 EDT
Thomas, isn't that done and can be closed?
Comment 9 Tomas Hoger 2009-07-24 06:03:51 EDT
If not fix is needed for 2.x in EPEL, sure, feel free to close this.
Comment 10 Robert Scheck 2009-07-24 19:12:52 EDT
Closing, because according to upstream advisory:

For 2.11.x: versions are not affected.
For 3.x: All 3.x releases on which the "bookmarks" feature is active are affected.

Note You need to log in before you can comment on or make changes to this bug.