Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2009-1285

Source

Debian Bug report logs - #524804
phpmyadmin: insufficient output sanitizing

Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debian.org>; Source for phpmyadmin is src:phpmyadmin (PTS, buildd, popcon).

Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Date: Mon, 20 Apr 2009 01:57:01 UTC

Severity: important

Tags: security

Fixed in version 4:3.1.3.2-1

Done: "Thijs Kinkhorst" <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#524804; Package phpmyadmin. (Mon, 20 Apr 2009 01:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Mon, 20 Apr 2009 01:57:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

package: phpmyadmin
severity: important
tags: security

hello,

fedora issued a security update for myphpadmin [0]:

  Improvements for 3.1.3.2:  - [security] Insufficient output sanitizing
  when generating configuration file
  http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php

does this problem affect debian and should it be tracked as a security
issue?  thanks.

[0] https://admin.fedoraproject.org/updates/F10/FEDORA-2009-3700

Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#524804; Package phpmyadmin. (Mon, 20 Apr 2009 04:18:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Mon, 20 Apr 2009 04:18:02 GMT) (full text, mbox, link).

Message #10 received at 524804@bugs.debian.org (full text, mbox, reply):

i was looking at the link as provided in redhat's announcement.  this
seems to be CVE-2009-1285, which debian is already tracking as
unimportant.  however, the phpmyadmin page considers the issue to be
critical.  perhaps the debian severity is too low?

mike

Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#524804; Package phpmyadmin. (Mon, 20 Apr 2009 07:42:30 GMT) (full text, mbox, link).

Acknowledgement sent to Michal Čihař <nijel@debian.org>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Mon, 20 Apr 2009 07:42:30 GMT) (full text, mbox, link).

Message #15 received at 524804@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi

Dne Mon, 20 Apr 2009 00:15:04 -0400
"Michael S. Gilbert" <michael.s.gilbert@gmail.com> napsal(a):

> i was looking at the link as provided in redhat's announcement.  this
> seems to be CVE-2009-1285, which debian is already tracking as
> unimportant.  however, the phpmyadmin page considers the issue to be
> critical.  perhaps the debian severity is too low?

The difference might be in fact that Debian package protects setup
script by htpasswd on installation.

(But I'm not in security team to know real cause of this severity.)

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com

[signature.asc (application/pgp-signature, attachment)]

Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility. (Mon, 20 Apr 2009 11:01:03 GMT) (full text, mbox, link).

Notification sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 20 Apr 2009 11:01:35 GMT) (full text, mbox, link).

Message #20 received at 524804-done@bugs.debian.org (full text, mbox, reply):

Version: 4:3.1.3.2-1

On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
> i was looking at the link as provided in redhat's announcement.  this
> seems to be CVE-2009-1285, which debian is already tracking as
> unimportant.  however, the phpmyadmin page considers the issue to be
> critical.  perhaps the debian severity is too low?

This is because Debian by default protects the setup.php page with a
htaccess-style login and the config file is not writable, thus making the
vulnerability hard to exploit. I commented this reasoning in my commit
message to the tracker.

As you can also find in the security tracker:
http://security-tracker.debian.net/tracker/CVE-2009-1285
all affected suites (squeeze/sid) are already updated with the new
version. Therefore we can close this bug.

I appreciate your effort in filing security bugs, but it helps to cross
reference them to the security tracker before so we prevent unnecessary
filings.

thanks,
Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#524804; Package phpmyadmin. (Mon, 20 Apr 2009 13:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Mon, 20 Apr 2009 13:54:03 GMT) (full text, mbox, link).

Message #25 received at 524804@bugs.debian.org (full text, mbox, reply):

On Mon, 20 Apr 2009 12:52:28 +0200, Thijs Kinkhorst wrote:
> On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
> > i was looking at the link as provided in redhat's announcement.  this
> > seems to be CVE-2009-1285, which debian is already tracking as
> > unimportant.  however, the phpmyadmin page considers the issue to be
> > critical.  perhaps the debian severity is too low?
> 
> This is because Debian by default protects the setup.php page with a
> htaccess-style login and the config file is not writable, thus making the
> vulnerability hard to exploit. I commented this reasoning in my commit
> message to the tracker.

wouldn't it be better to do this with a 'NOTE' since that is
permanently associated with the CVE number?  i would have certainly
noticed the justification if that was the case.

> As you can also find in the security tracker:
> http://security-tracker.debian.net/tracker/CVE-2009-1285
> all affected suites (squeeze/sid) are already updated with the new
> version. Therefore we can close this bug.
> 
> I appreciate your effort in filing security bugs, but it helps to cross
> reference them to the security tracker before so we prevent unnecessary
> filings.

i had mistakenly missed the CVE number when i first reviewed the
issue.  i appologize for the mistake.

Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#524804; Package phpmyadmin. (Mon, 20 Apr 2009 14:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Mon, 20 Apr 2009 14:03:02 GMT) (full text, mbox, link).

Message #30 received at 524804@bugs.debian.org (full text, mbox, reply):

On Mon, April 20, 2009 15:53, Michael S. Gilbert wrote:
> On Mon, 20 Apr 2009 12:52:28 +0200, Thijs Kinkhorst wrote:
>
>> On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
>>
>>> i was looking at the link as provided in redhat's announcement.  this
>>>  seems to be CVE-2009-1285, which debian is already tracking as
>>> unimportant.  however, the phpmyadmin page considers the issue to be
>>> critical.  perhaps the debian severity is too low?
>>
>> This is because Debian by default protects the setup.php page with a
>> htaccess-style login and the config file is not writable, thus making
>> the vulnerability hard to exploit. I commented this reasoning in my
>> commit message to the tracker.
>
> wouldn't it be better to do this with a 'NOTE' since that is permanently
> associated with the CVE number?  i would have certainly noticed the
> justification if that was the case.

Yes, that's probably better. I'll try to remember.


cheers,
Thijs

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 May 2009 07:26:00 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:08:12 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

phpmyadmin: insufficient output sanitizing

Debian Bug report logs - #524804
phpmyadmin: insufficient output sanitizing

Vulmon Search

About

Products

Connect

phpmyadmin: insufficient output sanitizing

Debian Bug report logs - #524804 phpmyadmin: insufficient output sanitizing

Vulmon Search

About

Products

Connect

Debian Bug report logs - #524804
phpmyadmin: insufficient output sanitizing