The branch, master has been updated via e44eb2866f5210b701416b82c29af918841ec666 (commit) from a1be72d541e6f3d1283065bb91f8f3c3e4fc0359 (commit) - Log ----------------------------------------------------------------- commit e44eb2866f5210b701416b82c29af918841ec666 Author: Marc Delisle <marc@infomarc.info> Date: Sun May 22 06:28:04 2011 -0400 PMASA-2011-3 and -4 ----------------------------------------------------------------------- Summary of changes: templates/security/{PMASA-2011-2 => PMASA-2011-3} | 34 +++++++------- templates/security/PMASA-2011-4 | 50 +++++++++++++++++++++ 2 files changed, 68 insertions(+), 16 deletions(-) copy templates/security/{PMASA-2011-2 => PMASA-2011-3} (50%) create mode 100644 templates/security/PMASA-2011-4 diff --git a/templates/security/PMASA-2011-2 b/templates/security/PMASA-2011-3 similarity index 50% copy from templates/security/PMASA-2011-2 copy to templates/security/PMASA-2011-3 index 8dfca27..cb973dd 100644 --- a/templates/security/PMASA-2011-2 +++ b/templates/security/PMASA-2011-3 @@ -3,55 +3,57 @@ <py:def function="announcement_id"> -PMASA-2011-2 +PMASA-2011-3 </py:def> <py:def function="announcement_date"> -2011-02-11 +2011-05-22 </py:def> <py:def function="announcement_summary"> -SQL query could be executed under another user. +XSS vulnerability on Tracking page </py:def> <py:def function="announcement_description"> -It was possible to create a bookmark which would be executed unintentionally by other users. +It was possible to create a crafted table name that leads to XSS. </py:def> <py:def function="announcement_severity"> -We consider this vulnerability to be critical. +We consider this vulnerability to be serious. </py:def> <py:def function="announcement_mitigation"> -To use this vulnerability, phpMyAdmin configuration storage needs to be -set up and enabled and bookmarks function needs to be enabled. +This vulnerability works in the context of a shared phpMyAdmin installation. +The attacker needs to convince a victim to go to the Tracking page that +relates to the crafted table. </py:def> <py:def function="announcement_affected"> -The 2.11.x and 3.3.x versions are affected. +The 3.3.x and 3.4.0 versions are affected. </py:def> <py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.3.9.2 or newer (2.11.11.3 or newer for the older -family) or apply the related patch listed below. +Upgrade to phpMyAdmin 3.3.10.1 or 3.4.1 or apply the related patch listed below. </py:def> <!--! Links to reporter etc, do not forget to escape & to & --> <py:def function="announcement_references"> -This issue was found by <a href="http://cihar.com/">Michal Čihař</a>. +This issue was found by a person who wishes to be known as "dave b". </py:def> <!--! CVE ID of the report, this is automatically added to references --> -<py:def function="announcement_cve">CVE-2011-0987</py:def> +<py:def function="announcement_cve">CVE-2011-XXXX</py:def> -<py:def function="announcement_cwe">661 89</py:def> +<py:def function="announcement_cwe">661 79</py:def> <py:def function="announcement_commits"> -a5464b4daff0059cdf8c9e5f4d54a80e2dd2a5b0 +7e10c132a3887c8ebfd7a8eee356b28375f1e287 +d3ccf798fdbd4f8a89d4088130637d8dee918492 </py:def> -<py:def function="announcement_commits_2_11"> -2fa4c8d97a92ae0d4e2051d5d18a18688c31f84f +<py:def function="announcement_commits_3_3_10"> +1300510d3686b40adefafb7f1778a6f06d0a553a +452669a1746898a08129d3a555ac4b1ec084b423 </py:def> <xi:include href="_page.tpl" /> diff --git a/templates/security/PMASA-2011-4 b/templates/security/PMASA-2011-4 new file mode 100644 index 0000000..1ebbfda --- /dev/null +++ b/templates/security/PMASA-2011-4 @@ -0,0 +1,50 @@ +<!--! Template for security announcement --> +<html xmlns:py="http://genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude" py:strip=""> + + +<py:def function="announcement_id"> +PMASA-2011-4 +</py:def> + +<py:def function="announcement_date"> +2011-05-22 +</py:def> + +<py:def function="announcement_summary"> +URL redirection to untrusted site +</py:def> + +<py:def function="announcement_description"> +It was possible to redirect to an arbitrary, untrusted site, leading to +a possible phishing attack. +</py:def> + +<py:def function="announcement_severity"> +We consider this vulnerability to be serious. +</py:def> + +<py:def function="announcement_affected"> +The 3.4.0 version is affected. +</py:def> + +<py:def function="announcement_solution"> +Upgrade to phpMyAdmin 3.4.1 or apply the related patch listed below. +</py:def> + +<!--! Links to reporter etc, do not forget to escape & to & --> +<py:def function="announcement_references"> +This issue was found by Kian Mohageri. +</py:def> + +<!--! CVE ID of the report, this is automatically added to references --> +<py:def function="announcement_cve">CVE-2011-XXXX</py:def> + +<py:def function="announcement_cwe">661 601</py:def> + +<py:def function="announcement_commits"> +b7a8179eb6bf0f1643970ac57a70b5b513a1cd4f +ecfc8ba4f7b4ea612c58ab5726054ed0f28e200d +</py:def> + +<xi:include href="_page.tpl" /> +</html> hooks/post-receive -- phpMyAdmin website