Bug 11844 – php - XSS vulnerabilities

Bug 11844 - php - XSS vulnerabilities

Summary:

php - XSS vulnerabilities

Status:	CLOSED FIXED

Product:	Security
Classification:	Unclassified
Component:	General / Other Security Issue
Version:	unspecified
Platform:	Other other

Importance:	P2 normal
Assigned To:	Security

URL:	http://www.phpmyadmin.net/home_page/s...

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2006-05-13 16:21 UTC by Ladislav Hagara (lace)
Modified:	2006-06-11 11:02 UTC (History)
CC List:	1 user (show)

See Also:

Flags:
hgr: fixed_in_lesser_branch+ v.merkatz: integrate_to_stable_grimoire+ v.merkatz: integrate_to_stable‑rc_grimoire+ seth: sm‑security_note_sent+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ladislav Hagara (lace) 2006-05-13 16:21:01 UTC

New version of phpMyAdmin fixes:

    * XSS vulnerability (set_theme)
    * mysqli problems with zend.ze1_compatibility_mode enabled
    * setup script did not save the mysql/mysqli extension
    * XSS vulnerability (calling directly css files under themes)
    * other XSS vulnerabilities (lang, theme, db)

This contains security fixes. Version 2.8.0.4 should be integrated to stable-rc
and stable.

p4 changes 79245 (devel) and 79246 (test).

Comment 1 Ladislav Hagara (lace) 2006-05-13 16:27:26 UTC

Seems if it is "Product: Security" there aren't choices for:
"fixed in lesser branch" and "integrate to $BRANCH grimoire"

Changed "Product" to Codex.

Comment 2 Ladislav Hagara (lace) 2006-05-13 16:29:02 UTC

setting flags to ?

Comment 3 Arwed v. Merkatz 2006-05-13 16:35:07 UTC

Looks good, can be integrated.

Comment 4 Ladislav Hagara (lace) 2006-05-13 16:43:13 UTC

Integrated/fixed.

Comment 5 Ladislav Hagara (lace) 2006-05-13 16:53:27 UTC

email to sm-security sent
http://lists.ibiblio.org/pipermail/sm-security/2006-May/000492.html

Comment 6 Seth Woolley 2006-05-13 17:40:00 UTC

I'd like to leave this in security component for historical searching

The flags weren't very useful to use because we usually just have the fixer
integrate to stable.  Security updates have bypassed other processes.

It's easy to add those flags to security.  I've just done that now.  I've also
added a sm-security note sent flag as well.

Comment 7 Jeremy Blosser 2006-05-13 17:47:09 UTC

(In reply to comment #6)
> I'd like to leave this in security component for historical searching

I disagree.  I started filing CVE bugs against security a while ago and they
were mostly ignored because the default assignee is security@ which is not as
useful as having them assigned to the relevant grimoire guru.  Instead I started
assigning them as normal via the codex product and just copying security, which
also allows searching.  Things got fixed a lot faster.  I could have left them
as security and copied the guru myself but then I have to look them all up.

Of course we could also add the full codex tree and assignee logic to the
security product but that sounds like a lot of duplication, and we'd have to
include the grimoire subgroups as well as the sorcery subgroups, tome, etc.

Now that each component is responsible for its own security I think we should
just assign these through the relevant tcomponent so the right subgroups are
invoked and include security some other way, either a cc or another flag or
something.

Comment 8 Arwed v. Merkatz 2006-05-13 17:59:04 UTC

To add a little to the flag inflation, we could add a "security bug" flag for
easier searching and still keep the bugs themselves in the product they belong
(codex,sorcery,cauldron,...).