Bug 631824 - (CVE-2010-3263) CVE-2010-3263 phpMyAdmin (x < v3.3.7): XSS in setup script (PMASA-2010-7)
CVE-2010-3263 phpMyAdmin (x < v3.3.7): XSS in setup script (PMASA-2010-7)
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 631829
  Show dependency treegraph
Reported: 2010-09-08 09:19 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:23 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-03-21 12:12:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-09-08 09:19:09 EDT
phpMyAdmin (x < v3.3.7) improperly sanitized server name provided to
the setup script. An attacker could use this flaw (under
certain installations) to conduct cross-site scripting
(XSS) attacks (execute arbitrary HTML or scripting code).

[1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php
[2] http://secunia.com/advisories/41210/

Upstream changeset:
[3] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=73ce5705bd1e0b62060f75702d62f88247ce09dd

Affected versions (from [1]):
For 3.x: versions before 3.3.7 are affected.

Unaffected versions (from [1]):
Branch 2.11.x is not affected by this.

Upstream acknowledges Tenable Network Security as original reporter.
Comment 1 Jan Lieskovsky 2010-09-08 09:21:50 EDT
This issue affects the versions of the phpMyAdmin package, as shipped
with Fedora release of 12 and 13.

Please fix.
Comment 2 Jan Lieskovsky 2010-09-08 09:34:07 EDT
CVE Request:
[4] http://www.openwall.com/lists/oss-security/2010/09/08/9
Comment 3 Jan Lieskovsky 2010-09-08 09:35:31 EDT
Created phpMyAdmin tracking bugs for this issue

Affects: fedora-all [bug 631829]
Comment 4 Jan Lieskovsky 2010-09-09 04:12:29 EDT
CVE identifier of CVE-2010-3263 has been assigned to this issue.
Comment 5 Bill C. Riemers 2010-09-21 16:19:44 EDT
*** Bug 636273 has been marked as a duplicate of this bug. ***
Comment 6 Robert Scheck 2011-03-21 11:52:51 EDT
I think this bug report should be closed, shouldn't it?

Note You need to log in before you can comment on or make changes to this bug.