Date: Tue, 28 Oct 2008 14:53:58 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com cc: coley@...re.org Subject: Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin) We generally assign CVE's for issues requiring register_globals because there are common configurations in which this is enabled, e.g. hosting environments or older PHP deployments. Many PHP-based worms wouldn't succeed without this setting. Also, in some cases, the software requires it. Finally, in some cases, a researcher CLAIMS register_globals is required but is erroneous (in this specific case, Secunia doesn't say register_globals is required, and they typically do this.) register_globals might limit the applicability to environments where the admin doesn't (or can't) follow solid configuration practices, but it's still feasible. - Steve ====================================================== Name: CVE-2008-4775 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4775 Reference: BUGTRAQ:20081027 XSS in phpMyadmin Reference: URL:http://www.securityfocus.com/archive/1/archive/1/497815/100/0/threaded Reference: BID:31928 Reference: URL:http://www.securityfocus.com/bid/31928 Reference: SECUNIA:32449 Reference: URL:http://secunia.com/advisories/32449 Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin 3.0.0, and possibly other versions including 188.8.131.52 and 3.0.1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.