[Phpmyadmin-git] [SCM] phpMyAdmin website branch, master, updated. bf754acd5c4bd16f0bb3a4a11e108c2c172583b0

The branch, master has been updated via bf754acd5c4bd16f0bb3a4a11e108c2c172583b0 (commit) via d36188f3ea49e446dc015e7b8266929434cc218a (commit) from 385f0b3a7532f8b384d5990cc0642a20910b61ce (commit) - Log ----------------------------------------------------------------- commit bf754acd5c4bd16f0bb3a4a11e108c2c172583b0 Merge: 385f0b3 d36188f Author: Marc Delisle &lt;marc(a)infomarc.info&gt; Date: Wed Sep 14 08:04:04 2011 -0400 Merge branch 'website-security' commit d36188f3ea49e446dc015e7b8266929434cc218a Author: Marc Delisle &lt;marc(a)infomarc.info&gt; Date: Mon Sep 12 13:01:06 2011 -0400 PMASA-2011-14 proposal ----------------------------------------------------------------------- Summary of changes: .../security/{PMASA-2011-11 => PMASA-2011-14} | 20 ++++++++++---------- 1 files changed, 10 insertions(+), 10 deletions(-) copy templates/security/{PMASA-2011-11 => PMASA-2011-14} (57%) diff --git a/templates/security/PMASA-2011-11 b/templates/security/PMASA-2011-14 similarity index 57% copy from templates/security/PMASA-2011-11 copy to templates/security/PMASA-2011-14 index f6f98fd..570a21d 100644 --- a/templates/security/PMASA-2011-11 +++ b/templates/security/PMASA-2011-14 @@ -3,23 +3,23 @@ <py:def function="announcement_id"> -PMASA-2011-11 +PMASA-2011-14 </py:def> <py:def function="announcement_date"> -2011-07-23 +2011-09-14 </py:def> <py:def function="announcement_summary"> -Local file inclusion vulnerability and code execution. +Multiple XSS. </py:def> <py:def function="announcement_description"> -In the 'relational schema' code a parameter was not sanitized before being used to concatenate a class name. +Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities. </py:def> <py:def function="announcement_severity"> -We consider this vulnerability to be critical. +We consider these vulnerabilities to be serious. </py:def> <py:def function="announcement_mitigation"> @@ -27,25 +27,25 @@ An attacker must be logged in via phpMyAdmin to exploit this problem. </py:def> <py:def function="announcement_affected"> -Versions 3.4.0 to 3.4.3.1 are affected. +Versions 3.4.0 to 3.4.4 were found vulnerable. </py:def> <py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.4.3.2 or apply the related patch listed below. +Upgrade to phpMyAdmin 3.4.5 or apply the related patches listed below. </py:def> <!--! Links to reporter etc, do not forget to escape & to &amp; --> <py:def function="announcement_references"> -This issue was found by Norman Hippert from <a href="http://www.the-wildcat.de/">The-Wildcat.de</a> +The first issue was found by Brad Bernard (<a href="http://iunfollow.com">iunfollow.com</a>). The second issue was found by Nils Juenemann (<a href="https://twitter.com/#!/totally_unknown">https://twitter.…y_unknown</a>.) </py:def> <!--! CVE ID of the report, this is automatically added to references --> -<py:def function="announcement_cve">CVE-2011-2718</py:def> <py:def function="announcement_cwe">661 98</py:def> <py:def function="announcement_commits"> -3ae58f0cd6b89ad4767920f9b214c38d3f6d4393 +bda213c58aec44925be661acb0e76c19483ea170 +2f28ce9c800274190418da0945ce3647d36e1db6 </py:def> <xi:include href="_page.tpl" /> hooks/post-receive -- phpMyAdmin website