Debian Bug report logs -
#451465
phpmyadmin: CVE-2007-5977 and CVE-2007-5976
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 16 Nov 2007 04:21:01 UTC
Severity: important
Tags: patch, security
Fixed in version 4:2.11.2.1-1
Done: "Thijs Kinkhorst" <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#451465; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <thijs@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpmyadmin
Severity: important
Tags: security, patch
Hi
The following two CVEs[0][1] have been assigned to phpmyadmin.
CVE-2007-5977:
Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin
before 2.11.2.1 allows remote authenticated users with CREATE DATABASE
privileges to inject arbitrary web script or HTML via a hex-encoded IMG
element in the db parameter in a POST request, a different vulnerability
than CVE-2006-6942.
CVE-2007-5976:
SQL injection vulnerability in db_create.php in phpMyAdmin before
2.11.2.1 allows remote authenticated users with CREATE DATABASE
privileges to execute arbitrary SQL commands via the db parameter.
Please mention the CVEs in your changelog.
You can find the upstream patch below.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5977
[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5976
--- phpMyAdmin/libraries/List_Database.class.php (.../RELEASE_2_11_2) (revision 10919)
+++ phpmyadmin-2.11.2/libraries/List_Database.class.php (.../RELEASE_2_11_2_1) (revision 10919)
@@ -378,10 +378,10 @@
$selected = $this->getDefault();
}
- $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n";
+ $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n";
foreach ($this->getGroupedDetails($offset, $count) as $group => $dbs) {
if (count($dbs) > 1) {
- $return .= '<li>' . $group . '<ul>' . "\n";
+ $return .= '<li>' . htmlspecialchars($group) . '<ul>' . "\n";
// wether display db_name cuted by the group part
$cut = true;
} else {
@@ -389,15 +389,24 @@
$cut = false;
}
foreach ($dbs as $db) {
- $return .= '<li';
- if ($db['name'] == $selected) {
- $return .= ' class="selected"';
+ $return .= '<li';
+ if ($db['name'] == $selected) {
+ $return .= ' class="selected"';
+ }
+ $return .= '><a';
+ if (! empty($db['comment'])) {
+ $return .= ' title="' . htmlspecialchars($db['comment']) . '"';
+ }
+ $return .= ' href="index.php?' . PMA_generate_common_url($db['name'])
+ . '" target="_parent">';
+ if ($cut) {
+ $return .= htmlspecialchars($db['disp_name_cut']);
+ } else {
+ $return .= htmlspecialchars($db['disp_name']);
+ }
+ $return .= ' (' . $db['num_tables'] . ')';
+ $return .= '</a></li>' . "\n";
}
- $return .= '><a' . (! empty($db['comment']) ? ' title="' . $db['comment'] . '"' : '') . ' href="index.php?' . PMA_generate_common_url($db['name']) . '" target="_parent">';
- $return .= ($cut ? $db['disp_name_cut'] : $db['disp_name'])
- .' (' . $db['num_tables'] . ')';
- $return .= '</a></li>' . "\n";
- }
if (count($dbs) > 1) {
$return .= '</ul></li>' . "\n";
}
--- ../old/phpmyadmin-2.11.2/server_privileges.php 2007-10-27 13:06:02.000000000 +0000
+++ phpmyadmin-2.11.2/server_privileges.php 2007-11-16 04:12:15.000000000 +0000
@@ -2032,7 +2032,7 @@
. PMA_convert_using('`Db`') . ' AS `Db`, '
. $list_of_privileges
.' FROM `mysql`.`db`'
- .' WHERE ' . PMA_convert_using($checkprivs, 'quoted')
+ .' WHERE ' . PMA_convert_using(PMA_sqlAddslashes($checkprivs), 'quoted')
.' LIKE ' . PMA_convert_using('`Db`')
.' AND NOT (' . $list_of_compared_privileges. ')) '
.'UNION '
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#451465; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>.
(full text, mbox, link).
Message #10 received at 451465@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.11
# this can be really eval in shared environments
severity 451465 grave
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sat, 17 Nov 2007 14:48:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#451465; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>.
(full text, mbox, link).
Message #17 received at 451465@bugs.debian.org (full text, mbox, reply):
severity 451465 important
thanks
On Sat, November 17, 2007 15:47, Nico Golde wrote:
> # Automatically generated email from bts, devscripts version 2.10.11
> # this can be really eval in shared environments
> severity 451465 grave
If you let users create databases, you've got a lot more concerns than
cross site scripting locally in phpMyAdmin if you can't trust them. This
is 'important' at the very, very most.
Thijs
Severity set to `important' from `grave'
Request was from "Thijs Kinkhorst" <thijs@debian.org>
to control@bugs.debian.org.
(Sat, 17 Nov 2007 20:18:09 GMT) (full text, mbox, link).
Reply sent to "Thijs Kinkhorst" <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #24 received at 451465-done@bugs.debian.org (full text, mbox, reply):
Version: 4:2.11.2.1-1
Hi,
Thanks, this has been fixed in the version above, uploaded last week.
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#451465; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>.
(full text, mbox, link).
Message #29 received at 451465@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Thijs,
* Thijs Kinkhorst <thijs@debian.org> [2007-11-18 03:36]:
> severity 451465 important
> thanks
>
> On Sat, November 17, 2007 15:47, Nico Golde wrote:
> > # Automatically generated email from bts, devscripts version 2.10.11
> > # this can be really eval in shared environments
> > severity 451465 grave
>
> If you let users create databases, you've got a lot more concerns than
> cross site scripting locally in phpMyAdmin if you can't trust them. This
> is 'important' at the very, very most.
I raised it because of the sql injection not because of the
cross-site scripting issue.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 18 Dec 2007 07:27:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:06:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon