Topic: CVE-2010-4480 (phpMyAdmin Vulnerability)

Apparently your most recent update from January has this vulnerability. When will you be releasing an update that includes the patch? It currently causes failure on PCI Compliance.

Thx.

Re: CVE-2010-4480 (phpMyAdmin Vulnerability)

As an FYI, the following page has links to the patch commits:

http://www.phpmyadmin.net/home_page/sec … 2010-9.php

Re: CVE-2010-4480 (phpMyAdmin Vulnerability)

This issue is classified as minor.

I think phpMyAdmin team is really aware of security issues and always release a quick update when needed.
And I always publish RPM really soon after release date.

So, I don't plan, for now, to publish a fixed RPM before upstream (or fedora maintainer) release a new version.

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

Re: CVE-2010-4480 (phpMyAdmin Vulnerability)

They may classify it that way, but CERT/NIST do not. It is classified as MEDIUM and that is why everyone is getting denied PCI Compliance.

http://web.nvd.nist.gov/view/vuln/detai … -2010-4480

We've manually implemented the very small changes needed, and it would probably be a good idea if you were to do the same so everyone using your phpMyAdmin build doesn't start getting rejected on PCI Compliance scans. Scans from four days ago were not triggering the compliance failure, but scans starting yesterday have started triggering it.

From PCI Compliance scans:

---
Synopsis : The remote web server hosts a PHP script that is prone to a cross-site scripting attack.
Description : The version of phpMyAdmin fails to validate BBcode tags in user input to the 'error' parameter of the 'error.php' script before using it to generate dynamic HTML. An attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site. For example, this could be used to cause a page with arbitrary text and a link to an external site to be displayed.
See also : http://www.phpmyadmin.net/home_page/sec … 2010-9.php
Solution: Upgrade to phpMyAdmin 3.4.0-beta1 or later.
Risk Factor: Medium / CVSS
Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE : CVE-2010-4480
BID : 45633
Other references : OSVDB:69684, EDB-ID:15699
---

Re: CVE-2010-4480 (phpMyAdmin Vulnerability)

Well... try phpMyAdmin-3.3.9-2...

And don't forget, you can say "thanks" and use the "donate" button.

Remi.


P.S. I'm sometine tired of so must requests, so must download (~12000 RPM per day), so few thanks...

Laptop:  Fedora 38 + rpmfusion + remi (SCL only)
x86_64 builder: Fedora 39 + rpmfusion + remi-test
aarch64 builder: RHEL 9 with EPEL
Hosting Server: CentOS 8 Stream with EPEL, rpmfusion, remi

6 (edited by rhopek 2011-02-25 15:15:11)

Re: CVE-2010-4480 (phpMyAdmin Vulnerability)

Thank you.

As I had noted, we had already manually patched all servers. We just wanted to make you aware that as of yesterday, your current phpMyAdmin build (as of the January build) no longer allowed for PCI Compliance. We simply wanted to let you know so that you could update it before you start getting inundated with others complaining of the sudden compliance failures in cases where they were using that same build. We were simply trying to get you ahead of the game per se. We weren't "telling" or "demanding" that you update it, we were simply trying to help you out.