[Phpmyadmin-git] [SCM] phpMyAdmin website branch, master, updated. bf754acd5c4bd16f0bb3a4a11e108c2c172583b0

Marc Delisle lem9 at users.sourceforge.net
Wed Sep 14 14:05:22 CEST 2011

The branch, master has been updated
       via  bf754acd5c4bd16f0bb3a4a11e108c2c172583b0 (commit)
       via  d36188f3ea49e446dc015e7b8266929434cc218a (commit)
      from  385f0b3a7532f8b384d5990cc0642a20910b61ce (commit)

- Log -----------------------------------------------------------------
commit bf754acd5c4bd16f0bb3a4a11e108c2c172583b0
Merge: 385f0b3 d36188f
Author: Marc Delisle <marc at infomarc.info>
Date:   Wed Sep 14 08:04:04 2011 -0400

    Merge branch 'website-security'

commit d36188f3ea49e446dc015e7b8266929434cc218a
Author: Marc Delisle <marc at infomarc.info>
Date:   Mon Sep 12 13:01:06 2011 -0400

    PMASA-2011-14 proposal


Summary of changes:
 .../security/{PMASA-2011-11 => PMASA-2011-14}      |   20 ++++++++++----------
 1 files changed, 10 insertions(+), 10 deletions(-)
 copy templates/security/{PMASA-2011-11 => PMASA-2011-14} (57%)

diff --git a/templates/security/PMASA-2011-11 b/templates/security/PMASA-2011-14
similarity index 57%
copy from templates/security/PMASA-2011-11
copy to templates/security/PMASA-2011-14
index f6f98fd..570a21d 100644
--- a/templates/security/PMASA-2011-11
+++ b/templates/security/PMASA-2011-14
@@ -3,23 +3,23 @@
 <py:def function="announcement_id">
 <py:def function="announcement_date">
 <py:def function="announcement_summary">
-Local file inclusion vulnerability and code execution.
+Multiple XSS.
 <py:def function="announcement_description">
-In the 'relational schema' code a parameter was not sanitized before being used to concatenate a class name.
+Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities.
 <py:def function="announcement_severity">
-We consider this vulnerability to be critical.
+We consider these vulnerabilities to be serious.
 <py:def function="announcement_mitigation">
@@ -27,25 +27,25 @@ An attacker must be logged in via phpMyAdmin to exploit this problem.
 <py:def function="announcement_affected">
-Versions 3.4.0 to are affected.
+Versions 3.4.0 to 3.4.4 were found vulnerable.
 <py:def function="announcement_solution">
-Upgrade to phpMyAdmin or apply the related patch listed below.
+Upgrade to phpMyAdmin 3.4.5 or apply the related patches listed below.
 <!--! Links to reporter etc, do not forget to escape & to & -->
 <py:def function="announcement_references">
-This issue was found by Norman Hippert from <a href="http://www.the-wildcat.de/">The-Wildcat.de</a>
+The first issue was found by Brad Bernard (<a href="http://iunfollow.com">iunfollow.com</a>). The second issue was found by Nils Juenemann (<a href="https://twitter.com/#!/totally_unknown">https://twitter.com/#!/totally_unknown</a>.) 
 <!--! CVE ID of the report, this is automatically added to references -->
-<py:def function="announcement_cve">CVE-2011-2718</py:def>
 <py:def function="announcement_cwe">661 98</py:def>
 <py:def function="announcement_commits">
 <xi:include href="_page.tpl" />

phpMyAdmin website

More information about the Git mailing list