Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2011:000 ] phpmyadmin
From: security () mandriva com
Date: Wed, 05 Jan 2011 17:38:01 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:000
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : phpmyadmin
 Date    : January 5, 2011
 Affected: Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in phpmyadmin:
 
 error.php in PhpMyAdmin 3.3.8.1 and earlier allows remote attackers
 to conduct cross-site scripting (XSS) attacks via a crafted BBcode
 tag containing @ characters, as demonstrated using [a () url@page]
 (CVE-2010-4480).
 
 phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass
 authentication and obtain sensitive information via a direct request
 to phpinfo.php, which calls the phpinfo function (CVE-2010-4481).
 
 This upgrade provides the latest phpmyadmin version for MES5 (3.3.9)
 and patches the version for CS4 to address these vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4481
 http://www.phpmyadmin.net/home_page/security/PMASA-2010-9.php
 http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php
 _______________________________________________________________________

 Updated Packages:

 Corporate 4.0:
 d07101ccc36cf4e67ae86a8ddc5d5310  corporate/4.0/i586/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.noarch.rpm 
 b30f2eea3b1c157c528bd44ba2576f5d  corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 b327495c075fd3eaa4809b3e3bd07984  corporate/4.0/x86_64/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.noarch.rpm 
 b30f2eea3b1c157c528bd44ba2576f5d  corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 d0c008da55aa4fa7fe0892d15e15a87a  mes5/i586/phpmyadmin-3.3.9-0.1mdvmes5.1.noarch.rpm 
 17ffcad097ff3dfee9d679c85ffd3ef9  mes5/SRPMS/phpmyadmin-3.3.9-0.1mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 86d7b84ba88a87e5cc18c7531b7c8e95  mes5/x86_64/phpmyadmin-3.3.9-0.1mdvmes5.1.noarch.rpm 
 17ffcad097ff3dfee9d679c85ffd3ef9  mes5/SRPMS/phpmyadmin-3.3.9-0.1mdvmes5.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNJHJymqjQ0CJFipgRAjlRAKC+XaFLBg12smTRby8c+8BMIAlM4gCeO2QZ
byumLQxKE5Xc5noo8UpIlFM=
=BETQ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2011:000 ] phpmyadmin security (Jan 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]