oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: [oss-security] CVE Request -- phpMyAdmin - v3.6.6

[oss-security] CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging messages (CVE-2010-3056 discussion)

From: Jan Lieskovsky <jlieskov_at_nospam>
Date: Wed Sep 01 2010 - 14:16:36 GMT
To: "Steven M. Christey" <coley@linus.mitre.org>

Hi Steve, vendors,

   on 2010-08-30 phpMyAdmin published PMASA-2010-6 addressing one XSS:
   [1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php

   Summary (from [1]):
     XSS attack using debugging messages.
   Description (from [1]):
     It was possible to conduct a XSS attack using error messages in PHP backtrace.

   Affected versions (from [1]):
   For 3.x: versions before 3.3.6 are affected.
   Branch 2.11.x is not affected by this

   Upstream commit:
   http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=133a77fac7d31a38703db2099a90c1b49de62e37

phpMyAdmin upstream seems to reference CVE-2010-3056 as CVE id to this flaw.

But CVE-2010-3056 was previously assigned to:
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3056
[3] https://bugzilla.redhat.com/show_bug.cgi?id=625877
[4] http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php

which affected both (from [4]):
For 2.11.x: versions before 2.11.10.1 are affected.
For 3.x: versions before 3.3.5.1 are affected.

so this is different issue and new CVE id should be allocated (due different
affected versions).

Could you please allocate one?

Thanks && Regards, Jan.
-- Jan iankko Lieskovsky / Red Hat Security Resposne Team