Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 01 Sep 2010 16:16:36 +0200
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC: oss-security <>,
        Marc Delisle <>,
        Michal Cihar <>
Subject: CVE Request -- phpMyAdmin - v3.6.6 -- XSS attack using debugging
 messages (CVE-2010-3056 discussion)

Hi Steve, vendors,

   on 2010-08-30 phpMyAdmin published PMASA-2010-6 addressing one XSS:

   Summary (from [1]):
     XSS attack using debugging messages.
   Description (from [1]):
     It was possible to conduct a XSS attack using error messages in PHP backtrace.

   Affected versions (from [1]):
   For 3.x: versions before 3.3.6 are affected.
   Branch 2.11.x is not affected by this

   Upstream commit:;a=commitdiff;h=133a77fac7d31a38703db2099a90c1b49de62e37

phpMyAdmin upstream seems to reference CVE-2010-3056 as CVE id to this flaw.

But CVE-2010-3056 was previously assigned to:

which affected both (from [4]):
For 2.11.x: versions before are affected.
For 3.x: versions before are affected.

so this is different issue and new CVE id should be allocated (due different
affected versions).

Could you please allocate one?

Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Resposne Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ