[Bug 896635] New: phpMyAdmin: XSRF/CSRF due to DOM based XSS in the micro history feature
https://bugzilla.novell.com/show_bug.cgi?id=896635 https://bugzilla.novell.com/show_bug.cgi?id=896635#c0 Summary: phpMyAdmin: XSRF/CSRF due to DOM based XSS in the micro history feature Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: All OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Andreas.Stieger@gmx.de QAContact: qa-bugs@suse.de CC: security-team@suse.de, chris@computersalat.de, ecsos@schirra.net Found By: --- Blocker: ---
From http://www.phpmyadmin.net/home_page/security/PMASA-2014-10.php
Announcement-ID: PMASA-2014-10 Date: 2014-09-13 Summary: XSRF/CSRF due to DOM based XSS in the micro history feature Description: By deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature. Severity: We consider this vulnerability to be critical. Affected Versions: 4.0.x < 4.0.10.3 4.1.x < 4.1.14.4 4.2.x < 4.2.8.1 Current: openSUSE:13.1:Update 4.1.14.3 openSUSE:12.3:Update 4.1.14.3 server:php:applications 4.2.8.1 openSUSE:Factory: above submitted SLE 10: not shipped SLE 11: not shipped -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=896635 https://bugzilla.novell.com/show_bug.cgi?id=896635#c Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED AssignedTo|security-team@suse.de |Andreas.Stieger@gmx.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=896635 https://bugzilla.novell.com/show_bug.cgi?id=896635#c1 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |security-team@suse.de --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> 2014-09-14 21:25:56 UTC --- Please review maintenance request #249178 taking phpMyAdmin to 4.1.14.4 for openSUSE 12.3 and 13.1 Chris...? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=896635 https://bugzilla.novell.com/show_bug.cgi?id=896635#c2 --- Comment #2 from Christian Wittmer <chris@computersalat.de> 2014-09-14 21:38:54 UTC --- Uhmmm, didn't thougt you will fix this. created #249179 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=896635 https://bugzilla.novell.com/show_bug.cgi?id=896635#c3 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Andreas.Stieger@gmx.de AssignedTo|Andreas.Stieger@gmx.de |chris@computersalat.de --- Comment #3 from Andreas Stieger <Andreas.Stieger@gmx.de> 2014-09-14 21:41:57 UTC --- (In reply to comment #2)
Uhmmm, didn't thougt you will fix this. created #249179
No problem. Shall we just go with yours? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=896635 https://bugzilla.novell.com/show_bug.cgi?id=896635#c4 --- Comment #4 from Christian Wittmer <chris@computersalat.de> 2014-09-14 21:49:27 UTC --- (In reply to comment #3)
(In reply to comment #2)
Uhmmm, didn't thougt you will fix this. created #249179
No problem. Shall we just go with yours?
Ok, thanks. lets go with mine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=896635 https://bugzilla.novell.com/show_bug.cgi?id=896635#c5 --- Comment #5 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-09-15 00:00:19 CEST --- This is an autogenerated message for OBS integration: This bug (896635) was mentioned in https://build.opensuse.org/request/show/249177 Factory / phpMyAdmin https://build.opensuse.org/request/show/249179 13.1+12.3 / phpMyAdmin -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com