[Phpmyadmin-git] [SCM] phpMyAdmin website branch, master, updated. ebcfdbdef73254b04ee4f557cba36df87b43b026

Herman van Rink helmo at users.sourceforge.net
Fri Jul 8 17:27:45 CEST 2011 

The branch, master has been updated
       via  ebcfdbdef73254b04ee4f557cba36df87b43b026 (commit)
       via  4d0a765f06558ec40bee74fab2e396a6abfb7b65 (commit)
       via  d79dc1d237de4c3246745c269376db7b99a9d1cb (commit)
      from  43202720e8bf301cd37eb5384c2fd1227ef43073 (commit)


- Log -----------------------------------------------------------------
commit ebcfdbdef73254b04ee4f557cba36df87b43b026
Author: Herman van Rink <rink at initfour.nl>
Date:   Fri Jul 8 17:26:59 2011 +0200

    Added link to advisory for PMASA-2011-[5678]

commit 4d0a765f06558ec40bee74fab2e396a6abfb7b65
Merge: d79dc1d237de4c3246745c269376db7b99a9d1cb 43202720e8bf301cd37eb5384c2fd1227ef43073
Author: Herman van Rink <rink at initfour.nl>
Date:   Fri Jul 8 17:19:08 2011 +0200

    Merge branch 'master' of ssh://phpmyadmin.git.sourceforge.net/gitroot/phpmyadmin/website

commit d79dc1d237de4c3246745c269376db7b99a9d1cb
Author: Marc Delisle <marc at infomarc.info>
Date:   Thu Jul 7 15:09:36 2011 -0400

    New advisories

-----------------------------------------------------------------------

Summary of changes:
 templates/security/{PMASA-2011-8 => PMASA-2011-10} |   28 ++++++++----------
 templates/security/PMASA-2011-5                    |    3 +-
 templates/security/PMASA-2011-6                    |    3 +-
 templates/security/PMASA-2011-7                    |    3 +-
 templates/security/PMASA-2011-8                    |    3 +-
 templates/security/{PMASA-2011-3 => PMASA-2011-9}  |   30 ++++++++------------
 6 files changed, 32 insertions(+), 38 deletions(-)
 copy templates/security/{PMASA-2011-8 => PMASA-2011-10} (58%)
 copy templates/security/{PMASA-2011-3 => PMASA-2011-9} (52%)

diff --git a/templates/security/PMASA-2011-8 b/templates/security/PMASA-2011-10
similarity index 58%
copy from templates/security/PMASA-2011-8
copy to templates/security/PMASA-2011-10
index 7bd14a0..77c3148 100644
--- a/templates/security/PMASA-2011-8
+++ b/templates/security/PMASA-2011-10
@@ -3,53 +3,49 @@
 
 
 <py:def function="announcement_id">
-PMASA-2011-8
+PMASA-2011-10
 </py:def>
 
 <py:def function="announcement_date">
-2011-07-02
+2011-07-XX
 </py:def>
 
 <py:def function="announcement_summary">
-Possible directory traversal.
+Local file inclusion.
 </py:def>
 
 <py:def function="announcement_description">
-Fixed filtering of a file path in the MIME-type transformation code, which allowed for directory traversal.
+Via a crafted MIME-type transformation parameter, an attacker can perform a local file inclusion.
 </py:def>
 
 <py:def function="announcement_severity">
 We consider this vulnerability to be serious.
 </py:def>
 
-<py:def function="announcement_affected">
-The 3.4.3 and earlier versions are affected.
+<py:def function="announcement_mitigation">
+The phpMyAdmin's configuration storage mechanism must be configured for this attack to work.
 </py:def>
 
-<py:def function="announcement_unaffected">
-Branch 2.11.x is not affected by this.
+<py:def function="announcement_affected">
+Versions 3.4.0 to 3.4.3.1 are affected.
 </py:def>
 
 <py:def function="announcement_solution">
-Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed below.
+Upgrade to phpMyAdmin 3.4.3.2 or apply the related patch listed below.
 </py:def>
 
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>
+This issue was found by Norman Hippert from <a href="http://www.the-wildcat.de/">The-Wildcat.de</a>
 </py:def>
 
 <!--! CVE ID of the report, this is automatically added to references -->
-<py:def function="announcement_cve">CVE-2011-2508</py:def>
+<py:def function="announcement_cve">CVE-2011-XXXX</py:def>
 
 <py:def function="announcement_cwe">661 98</py:def>
 
 <py:def function="announcement_commits">
-b434320eff8ca9c2fc1b043c1804f868341af9a7
-</py:def>
-
-<py:def function="announcement_commits_3_3">
-5ee357a572866e730d83f56d6187a67c7c48e523
+f63e1bb42a37401b2fdfcd2e66cce92b7ea2025c
 </py:def>
 
 <xi:include href="_page.tpl" />
diff --git a/templates/security/PMASA-2011-5 b/templates/security/PMASA-2011-5
index b21c291..5cea3f8 100644
--- a/templates/security/PMASA-2011-5
+++ b/templates/security/PMASA-2011-5
@@ -41,7 +41,8 @@ Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed belo
 
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>
+This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>. 
+<a href="http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt">His advisory.</a>
 </py:def>
 
 <!--! CVE ID of the report, this is automatically added to references -->
diff --git a/templates/security/PMASA-2011-6 b/templates/security/PMASA-2011-6
index c06ba98..9d3d839 100644
--- a/templates/security/PMASA-2011-6
+++ b/templates/security/PMASA-2011-6
@@ -38,7 +38,8 @@ Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed belo
 
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>
+This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>.
+<a href="http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt">His advisory.</a>
 </py:def>
 
 <!--! CVE ID of the report, this is automatically added to references -->
diff --git a/templates/security/PMASA-2011-7 b/templates/security/PMASA-2011-7
index a33048c..2bc9039 100644
--- a/templates/security/PMASA-2011-7
+++ b/templates/security/PMASA-2011-7
@@ -48,7 +48,8 @@ Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed belo
 
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>
+This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>.
+<a href="http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt">His advisory.</a>
 </py:def>
 
 <!--! CVE ID of the report, this is automatically added to references -->
diff --git a/templates/security/PMASA-2011-8 b/templates/security/PMASA-2011-8
index 7bd14a0..d871607 100644
--- a/templates/security/PMASA-2011-8
+++ b/templates/security/PMASA-2011-8
@@ -36,7 +36,8 @@ Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed belo
 
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>
+This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>.
+<a href="http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt">His advisory.</a>
 </py:def>
 
 <!--! CVE ID of the report, this is automatically added to references -->
diff --git a/templates/security/PMASA-2011-3 b/templates/security/PMASA-2011-9
similarity index 52%
copy from templates/security/PMASA-2011-3
copy to templates/security/PMASA-2011-9
index d48bad0..e34d305 100644
--- a/templates/security/PMASA-2011-3
+++ b/templates/security/PMASA-2011-9
@@ -3,57 +3,51 @@
 
 
 <py:def function="announcement_id">
-PMASA-2011-3
+PMASA-2011-9
 </py:def>
 
 <py:def function="announcement_date">
-2011-05-22
+2011-07-XX
 </py:def>
 
 <py:def function="announcement_summary">
-XSS vulnerability on Tracking page.
+XSS in table Print view.
 </py:def>
 
 <py:def function="announcement_description">
-It was possible to create a crafted table name that leads to XSS. 
+The attacker must trick the victim into clicking a link that reaches phpMyAdmin's table print view script; one of the link's parameters is a crafted table name (the name containing Javascript code).
 </py:def>
 
 <py:def function="announcement_severity">
-We consider this vulnerability to be serious.
+We consider this vulnerability to be minor.
 </py:def>
 
 <py:def function="announcement_mitigation">
-This vulnerability works in the context of a shared phpMyAdmin installation.
-The attacker needs to convince a victim to go to the Tracking page that
-relates to the crafted table.
+The crafted table name must exist (the attacker must have access to create a table on the victim's server).
 </py:def>
 
 <py:def function="announcement_affected">
-The 3.3.x and 3.4.0 versions are affected.
+The 3.4.3.1 and earlier versions are affected.
 </py:def>
 
 <py:def function="announcement_solution">
-Upgrade to phpMyAdmin 3.3.10.1 or 3.4.1 or apply the related patch listed below.
+Upgrade to phpMyAdmin 3.4.3.2 or apply the related patch listed below.
 </py:def>
 
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by a person who wishes to be known as "dave b". 
+This issue was found by Norman Hippert from <a href="http://www.the-wildcat.de/">The-Wildcat.de</a>
 </py:def>
 
 <!--! CVE ID of the report, this is automatically added to references -->
-<py:def function="announcement_cve">CVE-2011-1940</py:def>
+<py:def function="announcement_cve">CVE-2011-XXXX</py:def>
 
 <py:def function="announcement_cwe">661 79</py:def>
 
 <py:def function="announcement_commits">
-7e10c132a3887c8ebfd7a8eee356b28375f1e287
-d3ccf798fdbd4f8a89d4088130637d8dee918492
-</py:def>
+a0823be05aa5835f207c0838b9cca67d2d9a050a
+4bd27166c314faa37cada91533b86377f4d4d214
 
-<py:def function="announcement_commits_3_3_10">
-1300510d3686b40adefafb7f1778a6f06d0a553a
-452669a1746898a08129d3a555ac4b1ec084b423
 </py:def>
 
 <xi:include href="_page.tpl" />


hooks/post-receive
-- 
phpMyAdmin website

More information about the Git mailing list