Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Tue, 16 Dec 2008 20:52:42 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: Steven Christey <coley@...us.mitre.org>
Subject: Re: CVE request: phpMyAdmin < 3.1.1.0 (SQL injection
 through XSRF on several pages )


Two separate CVE's are assigned, one for the original milw0rm exploit and
the other for the unspecified vectors implied by the implied "XSRF on
several pages" in the PMASA-2008-10 advisory.

- Steve

======================================================
Name: CVE-2008-5621
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5621
Reference: MILW0RM:7382
Reference: URL:http://www.milw0rm.com/exploits/7382
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php
Reference: FEDORA:FEDORA-2008-11221
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html
Reference: FEDORA:FEDORA-2008-11221
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html
Reference: BID:32720
Reference: URL:http://www.securityfocus.com/bid/32720
Reference: SECUNIA:33076
Reference: URL:http://secunia.com/advisories/33076
Reference: SECUNIA:33146
Reference: URL:http://secunia.com/advisories/33146

Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x
before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to
perform unauthorized actions as the administrator via a link or IMG
tag to tbl_structure.php with a modified table parameter.  NOTE: this
can be leveraged to conduct SQL injection attacks and execute
arbitrary code.


======================================================
Name: CVE-2008-5622
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5622
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php
Reference: FEDORA:FEDORA-2008-11221
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html
Reference: FEDORA:FEDORA-2008-11221
Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html
Reference: SECUNIA:33146
Reference: URL:http://secunia.com/advisories/33146

Multiple cross-site request forgery (CSRF) vulnerabilities in
phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allow remote
attackers to conduct SQL injection attacks via unknown vectors related
to the table parameter, a different vector than CVE-2008-5621.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux