Debian Bug report logs -
#427151
CVE-2007-2865: cross-site scripting
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 2 Jun 2007 07:27:02 UTC
Severity: important
Tags: security
Found in version phppgadmin/4.0.1-3.2
Fixed in version phppgadmin/4.1.2-1
Done: Isaac Clerencia <isaac@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Isaac Clerencia <isaac@debian.org>
:
Bug#427151
; Package phppgadmin
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
New Bug report received and forwarded. Copy sent to Isaac Clerencia <isaac@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phppgadmin
Version: 4.0.1-3.2
Tags: security
Severity: important
A cross-site scripting vulnerability has been disclosed in phppgadmin:
| There is a JavaScript code Injection in phpPgAdmin which fails to correctly
| sanitize user supplied data. As a result very simple XSS is possible. This
| was tested on phpPgAdmin 4.1.1 as not logged user.
| PoC:
| https://test.com/phpPgAdmin/sqledit.php?server=%3A5432%3Aallow');alert(document.cookie \
| );alert('phpPgAdmin%204.1.1%20XSS%20Vulnerability');// Regards Michal Majchrowicz.
<http://marc.info/?l=full-disclosure&m=117987658110713&w=2>
Please mention the name CVE-2007-2865 in the changelog when fixing
this bug.
Reply sent to Isaac Clerencia <isaac@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 427151-close@bugs.debian.org (full text, mbox, reply):
Source: phppgadmin
Source-Version: 4.1.2-1
We believe that the bug you reported is fixed in the latest version of
phppgadmin, which is due to be installed in the Debian FTP archive:
phppgadmin_4.1.2-1.diff.gz
to pool/main/p/phppgadmin/phppgadmin_4.1.2-1.diff.gz
phppgadmin_4.1.2-1.dsc
to pool/main/p/phppgadmin/phppgadmin_4.1.2-1.dsc
phppgadmin_4.1.2-1_all.deb
to pool/main/p/phppgadmin/phppgadmin_4.1.2-1_all.deb
phppgadmin_4.1.2.orig.tar.gz
to pool/main/p/phppgadmin/phppgadmin_4.1.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 427151@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Isaac Clerencia <isaac@debian.org> (supplier of updated phppgadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 02 Jun 2007 14:25:23 +0200
Source: phppgadmin
Binary: phppgadmin
Architecture: source all
Version: 4.1.2-1
Distribution: unstable
Urgency: low
Maintainer: Isaac Clerencia <isaac@debian.org>
Changed-By: Isaac Clerencia <isaac@debian.org>
Description:
phppgadmin - Set of PHP scripts to administrate PostgreSQL over the WWW
Closes: 405849 411057 413772 417007 427151
Changes:
phppgadmin (4.1.2-1) unstable; urgency=low
.
* New upstream release
* Fixes security bug (CVE-2007-2865), closes: #427151
* Update configuration files
* Prefer php5 over php4 on install
* NMU acknowledge, closes: #405849, #411057, #413772, #417007
Files:
770de4b03dbe0dafbdf7314f92719b87 635 web extra phppgadmin_4.1.2-1.dsc
c6b26b992f683f198384121ad0e6c1ea 817788 web extra phppgadmin_4.1.2.orig.tar.gz
c8fe337c8973189d4866f892ec8802e9 13102 web extra phppgadmin_4.1.2-1.diff.gz
cc2e6e3e45310aaa87c52f9cdea9c32c 807066 web extra phppgadmin_4.1.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>
iD8DBQFGYWqBQET2GFTmct4RAjDbAJ4i+bxBUzbIDWxyWdx15Cx5PZNnHwCfcV0u
zOJ1uUq+5nR/cwIze0irbBs=
=LsxA
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 12 Jul 2007 07:43:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:15:33 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.