Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 04 Oct 2011 14:50:19 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request -- phpPgAdmin -- Multiple XSS flaws fixed in v5.0.3

Please use CVE-2011-3598

Thanks.

-- 
    JB


----- Original Message -----
> Hello Josh, Steve, vendors,
> 
>    multiple cross-site scripting (XSS) flaws were reported in
>    phpPgAdmin:
> 
> 1) the 'title' argument of a particular web page was not sanitized
>     properly prior displaying the page header,
> 
> 2) the return ULR ('return_url') and return link name ('return_desc')
>     were not sanitized properly prior displaying the requested page
>     data.
> 
> A remote attacker could provide a specially-crafted URL, which once
> visited by an unsuspecting phpPgAdmin user could lead to arbitrary
> HTML
> or web script execution.
> 
> References:
> [1] https://secunia.com/advisories/46248/
> [2] https://bugs.gentoo.org/show_bug.cgi?id=385505
> [3] http://phppgadmin.sourceforge.net/doku.php?id=download
> [4]
> http://sourceforge.net/mailarchive/forum.php?thread_name=4E897F6C.90905%40free.fr&forum_name=phppgadmin-news
> 
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=743205
> 
> Upstream patch:
> [6]
> https://github.com/phppgadmin/phppgadmin/commit/1df248203de055f97e092b50b1dd9643ccb73842
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.