Ubuntu
phpmyadmin package

phpmyadmin security problem

Bug #699649 reported by gondim
This bug report is a duplicate of:  Bug #696857: Fix CVE-2010-4480 and CVE-2010-4481. Edit Remove
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpmyadmin (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: phpmyadmin

CVE-2010-4329

  Cross site scripting was possible in search, that allowed
  a remote attacker to inject arbitrary web script or HTML.

CVE-2010-4480

  Cross site scripting was possible in errors, that allowed
  a remote attacker to inject arbitrary web script or HTML.

CVE-2010-4481

  Display of PHP's phpinfo() function was available to world, but only
  if this functionality had been enabled (defaults to off). This may
  leak some information about the host system.

Description: Ubuntu 10.04.1 LTS
Release: 10.04

phpmyadmin:
  Instalado: 4:3.3.2-1
  Candidato: 4:3.3.2-1
  Tabela de versão:
 *** 4:3.3.2-1 0
        500 http://br.archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

Here an example:

http://127.0.0.1/phpmyadmin/error.php?type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via+characters+injection[br]It%27s+possible+use+some+special+tags+too[br]Found+by+Tiger+Security+Tiger+Team+-+[a%40http://www.tigersecurity.it%40_self]This%20Is%20a%20Link[%2Fa]

Tags: phpmyadmin
Marc Deslauriers (mdeslaur)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.