Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Oct 2008 14:53:58 -0400 (EDT)
From: "Steven M. Christey" <>
Subject: Re: CVE request phpmyadmin (Fwd: XSS in phpMyadmin)

We generally assign CVE's for issues requiring register_globals because
there are common configurations in which this is enabled, e.g. hosting
environments or older PHP deployments. Many PHP-based worms wouldn't
succeed without this setting.  Also, in some cases, the software requires
it.  Finally, in some cases, a researcher CLAIMS register_globals is
required but is erroneous (in this specific case, Secunia doesn't say
register_globals is required, and they typically do this.)

register_globals might limit the applicability to environments where the
admin doesn't (or can't) follow solid configuration practices, but it's
still feasible.

- Steve

Name: CVE-2008-4775
Status: Candidate
Reference: BUGTRAQ:20081027 XSS in phpMyadmin
Reference: URL:
Reference: BID:31928
Reference: URL:
Reference: SECUNIA:32449
Reference: URL:

Cross-site scripting (XSS) vulnerability in pmd_pdf.php in phpMyAdmin
3.0.0, and possibly other versions including and 3.0.1, when
register_globals is enabled, allows remote attackers to inject
arbitrary web script or HTML via the db parameter, a different vector
than CVE-2006-6942 and CVE-2007-5977.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.