[Phpmyadmin-devel] [Fwd: Re: CVE for phpMyAdmin PMASA-2007-6]

Thijs Kinkhorst thijs at debian.org
Tue Oct 23 11:01:25 CEST 2007 

Hi devs,

I requested a CVE id to be assigned for PMASA-2007-6, which is quoted below.
If I have spotted it correctly, I see not much use of CVE id's within
phpMyAdmin. It would be very helpful for security workers in e.g.
distributions if the PMASA advisories would mention the corresponding CVE
numbers when such a number is or becomes available. It could also have a
place in the relevant changelog entry that fixes the problem.

Would you consider doing that?

Thanks
Thijs
(also on behalf of the Debian security team)


---------------------------- Original Message ----------------------------
Subject: Re: CVE for phpMyAdmin PMASA-2007-6
From:    "Steven M. Christey" <coley at linus.mitre.org>
Date:    Mon, October 22, 2007 22:19
To:      "Thijs Kinkhorst" <thijs at debian.org>
Cc:      cve at mitre.org
--------------------------------------------------------------------------


Hello,

Use CVE-2007-5589

- Steve

======================================================
Name: CVE-2007-5589
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5589
Reference:
MISC:http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html
Reference:
CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_1/phpMyAdmin/ChangeLog?r1=10796&r2=10795&pathrev=10796
Reference:
CONFIRM:http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=10796
Reference:
CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-6
Reference: FRSIRT:ADV-2007-3535
Reference: URL:http://www.frsirt.com/english/advisories/2007/3535
Reference: SECUNIA:27246
Reference: URL:http://secunia.com/advisories/27246

Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
before 2.11.1.2 allow remote attackers to inject arbitrary web script
or HTML via certain input available in (1) PHP_SELF in (a)
server_status.php, and (b) grab_globals.lib.php, (c)
display_change_password.lib.php, and (d) common.lib.php in libraries/;
and certain input available in PHP_SELF and (2) PATH_INFO in
libraries/common.inc.php.  NOTE: there might also be other vectors
related to (3) REQUEST_URI.

More information about the Developers mailing list