[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Analysis of issue for phpmyadmin and request for comment on XSS issues

Hi LTS team

I have done some analysis of the issues for phpmyadmin.

It would be good to know what your opinion about XSS issues for admin software like phpmyadmin is. I do not see how that can be very important. I mean you know the URL and do not really use external links for accessing it.
Or do anyone have another opinion?

I'll happily mark them as no DSA instead of backporting the fixes. What do you think?
If I do not hear any objections I'll do so in a few days.

The mitigation is to always use https for access. I guess this should be the normal case.
This is a problem only during setup as far as I can tell.
I do not think we should spend time on this one. I'll mark it as no DSA. Objections?
If anyone objects the backport should be fairly simple.

A properly configured server which sets PHP_SELF is not affected. Thus I'll mark this as no DSA. Objections?

This one looks like a real problem. Will look into backport of that one.

CVE-2016-5704 and CVE-2016-5705
XSS issue. Backporting looks easy.

A potential DOS attach should be fixed. I'll look into backporting this.

Non critical. I'll mark as no DSA unless anyone objects.

CVE-2016-5731, CVE-2016-5732, CVE-2016-5733
XSS again. Backporting looks rather easy. I do not really see the urgency of fixing though.

Possible real problem. I'll look into backporting this.

Possible real problem. Backporting looks easy.


// Ola

 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Folkebogatan 26          \
|  ola@inguza.com                      654 68 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: