Ubuntu
phpmyadmin package

CVE-2010-4480

Bug #913846 reported by Ante Karamatić
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpmyadmin (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned

Bug Description

From http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480:

error.php in PhpMyAdmin 3.3.8.1, and other versions before 3.4.0-beta1, allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted BBcode tag containing "@" characters, as demonstrated using "[a@url@page]".

Attached patch solves the problem, taken from Debian's package.

Tags: patch

CVE References

Revision history for this message
Ante Karamatić (ivoks) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "CVE-2010-4480.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

Seems to be fixed in natty and above. Open a lucid specific task as that is what the debdiff is targeting.

security vulnerability: no → yes
Andrew Starr-Bochicchio (andrewsomething)
Changed in phpmyadmin (Ubuntu):
status: New → Confirmed
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff. It's being built now and will release in a few hours.

BTW, there are about 20 other open CVEs in lucid:
http://people.canonical.com/~ubuntu-security/cve/pkg/phpmyadmin.html

Changed in phpmyadmin (Ubuntu Lucid):
status: New → Fix Committed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Whoops, forgot the LP tag in the changelog. Closing this bug manually.

Changed in phpmyadmin (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.