phpMyAdmin (x < v3.3.7) improperly sanitized server name provided to the setup script. An attacker could use this flaw (under certain installations) to conduct cross-site scripting (XSS) attacks (execute arbitrary HTML or scripting code). References: [1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php [2] http://secunia.com/advisories/41210/ Upstream changeset: [3] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=73ce5705bd1e0b62060f75702d62f88247ce09dd Affected versions (from [1]): For 3.x: versions before 3.3.7 are affected. Unaffected versions (from [1]): Branch 2.11.x is not affected by this. Credit: Upstream acknowledges Tenable Network Security as original reporter.
This issue affects the versions of the phpMyAdmin package, as shipped with Fedora release of 12 and 13. Please fix.
CVE Request: [4] http://www.openwall.com/lists/oss-security/2010/09/08/9
Created phpMyAdmin tracking bugs for this issue Affects: fedora-all [bug 631829]
CVE identifier of CVE-2010-3263 has been assigned to this issue.
*** Bug 636273 has been marked as a duplicate of this bug. ***
I think this bug report should be closed, shouldn't it?