[Phpmyadmin-git] [SCM] phpMyAdmin website branch, master, updated. e44eb2866f5210b701416b82c29af918841ec666

Marc Delisle lem9 at users.sourceforge.net
Sun May 22 12:28:20 CEST 2011 

The branch, master has been updated
       via  e44eb2866f5210b701416b82c29af918841ec666 (commit)
      from  a1be72d541e6f3d1283065bb91f8f3c3e4fc0359 (commit)


- Log -----------------------------------------------------------------
commit e44eb2866f5210b701416b82c29af918841ec666
Author: Marc Delisle <marc at infomarc.info>
Date:   Sun May 22 06:28:04 2011 -0400

    PMASA-2011-3 and -4

-----------------------------------------------------------------------

Summary of changes:
 templates/security/{PMASA-2011-2 => PMASA-2011-3} |   34 +++++++-------
 templates/security/PMASA-2011-4                   |   50 +++++++++++++++++++++
 2 files changed, 68 insertions(+), 16 deletions(-)
 copy templates/security/{PMASA-2011-2 => PMASA-2011-3} (50%)
 create mode 100644 templates/security/PMASA-2011-4

diff --git a/templates/security/PMASA-2011-2 b/templates/security/PMASA-2011-3
similarity index 50%
copy from templates/security/PMASA-2011-2
copy to templates/security/PMASA-2011-3
index 8dfca27..cb973dd 100644
--- a/templates/security/PMASA-2011-2
+++ b/templates/security/PMASA-2011-3
@@ -3,55 +3,57 @@
 
 
 <py:def function="announcement_id">
-PMASA-2011-2
+PMASA-2011-3
 </py:def>
 
 <py:def function="announcement_date">
-2011-02-11
+2011-05-22
 </py:def>
 
 <py:def function="announcement_summary">
-SQL query could be executed under another user.
+XSS vulnerability on Tracking page
 </py:def>
 
 <py:def function="announcement_description">
-It was possible to create a bookmark which would be executed unintentionally by other users.
+It was possible to create a crafted table name that leads to XSS. 
 </py:def>
 
 <py:def function="announcement_severity">
-We consider this vulnerability to be critical.
+We consider this vulnerability to be serious.
 </py:def>
 
 <py:def function="announcement_mitigation">
-To use this vulnerability, phpMyAdmin configuration storage needs to be
-set up and enabled and bookmarks function needs to be enabled.
+This vulnerability works in the context of a shared phpMyAdmin installation.
+The attacker needs to convince a victim to go to the Tracking page that
+relates to the crafted table.
 </py:def>
 
 <py:def function="announcement_affected">
-The 2.11.x and 3.3.x versions are affected.
+The 3.3.x and 3.4.0 versions are affected.
 </py:def>
 
 <py:def function="announcement_solution">
-Upgrade to phpMyAdmin 3.3.9.2 or newer (2.11.11.3 or newer for the older
-family) or apply the related patch listed below.
+Upgrade to phpMyAdmin 3.3.10.1 or 3.4.1 or apply the related patch listed below.
 </py:def>
 
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by <a href="http://cihar.com/">Michal Čihař</a>.
+This issue was found by a person who wishes to be known as "dave b". 
 </py:def>
 
 <!--! CVE ID of the report, this is automatically added to references -->
-<py:def function="announcement_cve">CVE-2011-0987</py:def>
+<py:def function="announcement_cve">CVE-2011-XXXX</py:def>
 
-<py:def function="announcement_cwe">661 89</py:def>
+<py:def function="announcement_cwe">661 79</py:def>
 
 <py:def function="announcement_commits">
-a5464b4daff0059cdf8c9e5f4d54a80e2dd2a5b0
+7e10c132a3887c8ebfd7a8eee356b28375f1e287
+d3ccf798fdbd4f8a89d4088130637d8dee918492
 </py:def>
 
-<py:def function="announcement_commits_2_11">
-2fa4c8d97a92ae0d4e2051d5d18a18688c31f84f
+<py:def function="announcement_commits_3_3_10">
+1300510d3686b40adefafb7f1778a6f06d0a553a
+452669a1746898a08129d3a555ac4b1ec084b423
 </py:def>
 
 <xi:include href="_page.tpl" />
diff --git a/templates/security/PMASA-2011-4 b/templates/security/PMASA-2011-4
new file mode 100644
index 0000000..1ebbfda
--- /dev/null
+++ b/templates/security/PMASA-2011-4
@@ -0,0 +1,50 @@
+<!--! Template for security announcement -->
+<html xmlns:py="http://genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude" py:strip="">
+
+
+<py:def function="announcement_id">
+PMASA-2011-4
+</py:def>
+
+<py:def function="announcement_date">
+2011-05-22
+</py:def>
+
+<py:def function="announcement_summary">
+URL redirection to untrusted site
+</py:def>
+
+<py:def function="announcement_description">
+It was possible to redirect to an arbitrary, untrusted site, leading to
+a possible phishing attack.
+</py:def>
+
+<py:def function="announcement_severity">
+We consider this vulnerability to be serious.
+</py:def>
+
+<py:def function="announcement_affected">
+The 3.4.0 version is affected.
+</py:def>
+
+<py:def function="announcement_solution">
+Upgrade to phpMyAdmin 3.4.1 or apply the related patch listed below.
+</py:def>
+
+<!--! Links to reporter etc, do not forget to escape & to & -->
+<py:def function="announcement_references">
+This issue was found by Kian Mohageri. 
+</py:def>
+
+<!--! CVE ID of the report, this is automatically added to references -->
+<py:def function="announcement_cve">CVE-2011-XXXX</py:def>
+
+<py:def function="announcement_cwe">661 601</py:def>
+
+<py:def function="announcement_commits">
+b7a8179eb6bf0f1643970ac57a70b5b513a1cd4f
+ecfc8ba4f7b4ea612c58ab5726054ed0f28e200d
+</py:def>
+
+<xi:include href="_page.tpl" />
+</html>


hooks/post-receive
-- 
phpMyAdmin website

More information about the Git mailing list