|
Message-ID: <Pine.GSO.4.51.0812162050070.5724@faron.mitre.org> Date: Tue, 16 Dec 2008 20:52:42 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com cc: Steven Christey <coley@...us.mitre.org> Subject: Re: CVE request: phpMyAdmin < 3.1.1.0 (SQL injection through XSRF on several pages ) Two separate CVE's are assigned, one for the original milw0rm exploit and the other for the unspecified vectors implied by the implied "XSRF on several pages" in the PMASA-2008-10 advisory. - Steve ====================================================== Name: CVE-2008-5621 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5621 Reference: MILW0RM:7382 Reference: URL:http://www.milw0rm.com/exploits/7382 Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php Reference: FEDORA:FEDORA-2008-11221 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html Reference: FEDORA:FEDORA-2008-11221 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html Reference: BID:32720 Reference: URL:http://www.securityfocus.com/bid/32720 Reference: SECUNIA:33076 Reference: URL:http://secunia.com/advisories/33076 Reference: SECUNIA:33146 Reference: URL:http://secunia.com/advisories/33146 Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code. ====================================================== Name: CVE-2008-5622 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5622 Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php Reference: FEDORA:FEDORA-2008-11221 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html Reference: FEDORA:FEDORA-2008-11221 Reference: URL:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html Reference: SECUNIA:33146 Reference: URL:http://secunia.com/advisories/33146 Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allow remote attackers to conduct SQL injection attacks via unknown vectors related to the table parameter, a different vector than CVE-2008-5621.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.