CVE-2007-2865: cross-site scripting

Debian Bug report logs - #427151
CVE-2007-2865: cross-site scripting

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: CVE-2007-2865: cross-site scripting

Date: Sat, 02 Jun 2007 09:10:48 +0200

Package: phppgadmin
Version: 4.0.1-3.2
Tags: security
Severity: important

A cross-site scripting vulnerability has been disclosed in phppgadmin:


| There is a JavaScript code Injection in phpPgAdmin which fails to correctly
| sanitize user supplied data. As a result very simple XSS is possible. This
| was tested on phpPgAdmin 4.1.1 as not logged user.
| PoC:
| https://test.com/phpPgAdmin/sqledit.php?server=%3A5432%3Aallow');alert(document.cookie \
| );alert('phpPgAdmin%204.1.1%20XSS%20Vulnerability');// Regards Michal Majchrowicz.

<http://marc.info/?l=full-disclosure&m=117987658110713&w=2>

Please mention the name CVE-2007-2865 in the changelog when fixing
this bug.

Message #10 received at 427151-close@bugs.debian.org (full text, mbox, reply):

From: Isaac Clerencia <isaac@debian.org>

To: 427151-close@bugs.debian.org

Subject: Bug#427151: fixed in phppgadmin 4.1.2-1

Date: Sat, 02 Jun 2007 14:02:08 +0000

Source: phppgadmin
Source-Version: 4.1.2-1

We believe that the bug you reported is fixed in the latest version of
phppgadmin, which is due to be installed in the Debian FTP archive:

phppgadmin_4.1.2-1.diff.gz
  to pool/main/p/phppgadmin/phppgadmin_4.1.2-1.diff.gz
phppgadmin_4.1.2-1.dsc
  to pool/main/p/phppgadmin/phppgadmin_4.1.2-1.dsc
phppgadmin_4.1.2-1_all.deb
  to pool/main/p/phppgadmin/phppgadmin_4.1.2-1_all.deb
phppgadmin_4.1.2.orig.tar.gz
  to pool/main/p/phppgadmin/phppgadmin_4.1.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 427151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Isaac Clerencia <isaac@debian.org> (supplier of updated phppgadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 02 Jun 2007 14:25:23 +0200
Source: phppgadmin
Binary: phppgadmin
Architecture: source all
Version: 4.1.2-1
Distribution: unstable
Urgency: low
Maintainer: Isaac Clerencia <isaac@debian.org>
Changed-By: Isaac Clerencia <isaac@debian.org>
Description: 
 phppgadmin - Set of PHP scripts to administrate PostgreSQL over the WWW
Closes: 405849 411057 413772 417007 427151
Changes: 
 phppgadmin (4.1.2-1) unstable; urgency=low
 .
   * New upstream release
     * Fixes security bug (CVE-2007-2865), closes: #427151
   * Update configuration files
   * Prefer php5 over php4 on install
   * NMU acknowledge, closes: #405849, #411057, #413772, #417007
Files: 
 770de4b03dbe0dafbdf7314f92719b87 635 web extra phppgadmin_4.1.2-1.dsc
 c6b26b992f683f198384121ad0e6c1ea 817788 web extra phppgadmin_4.1.2.orig.tar.gz
 c8fe337c8973189d4866f892ec8802e9 13102 web extra phppgadmin_4.1.2-1.diff.gz
 cc2e6e3e45310aaa87c52f9cdea9c32c 807066 web extra phppgadmin_4.1.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>

iD8DBQFGYWqBQET2GFTmct4RAjDbAJ4i+bxBUzbIDWxyWdx15Cx5PZNnHwCfcV0u
zOJ1uUq+5nR/cwIze0irbBs=
=LsxA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.