Hi Thijs, yes it's a good idea, I'll implement your suggestions.
Marc
Thijs Kinkhorst a écrit :
Hi devs,
I requested a CVE id to be assigned for PMASA-2007-6, which is quoted below. If I have spotted it correctly, I see not much use of CVE id's within phpMyAdmin. It would be very helpful for security workers in e.g. distributions if the PMASA advisories would mention the corresponding CVE numbers when such a number is or becomes available. It could also have a place in the relevant changelog entry that fixes the problem.
Would you consider doing that?
Thanks Thijs (also on behalf of the Debian security team)
---------------------------- Original Message ---------------------------- Subject: Re: CVE for phpMyAdmin PMASA-2007-6 From: "Steven M. Christey" coley@linus.mitre.org Date: Mon, October 22, 2007 22:19 To: "Thijs Kinkhorst" thijs@debian.org Cc: cve@mitre.org
Hello,
Use CVE-2007-5589
- Steve
====================================================== Name: CVE-2007-5589 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5589 Reference: MISC:http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html Reference: CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_... Reference: CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revisio... Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-6 Reference: FRSIRT:ADV-2007-3535 Reference: URL:http://www.frsirt.com/english/advisories/2007/3535 Reference: SECUNIA:27246 Reference: URL:http://secunia.com/advisories/27246
Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.
This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel