phppgadmin multiple XSS (CVE-2011-3598)

Debian Bug report logs - #644290
phppgadmin multiple XSS (CVE-2011-3598)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: submit@bugs.debian.org

Subject: phppgadmin multiple XSS (CVE-2011-3598)

Date: Tue, 4 Oct 2011 22:15:47 +0200

Package: phppgadmin
Severity: critical
Tags: security

Hi,

Multiple XSS vulnerabilities have been reported in phpPgAdmin:
https://secunia.com/advisories/46248/

Please ensure that unstable is fixed on short notice and give the upload
an elevated urgency tag.

Can you also assess whether (old)stable are affected, and if so, provide
packages? If not (affected or able), do let us know aswell.

In any case, please mention CVE-2011-3598 in your changelogs.


thanks,
Thijs

Message #10 received at 644290-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <myon@debian.org>

To: 644290-close@bugs.debian.org

Subject: Bug#644290: fixed in phppgadmin 5.0.3-1

Date: Wed, 05 Oct 2011 20:54:22 +0000

Source: phppgadmin
Source-Version: 5.0.3-1

We believe that the bug you reported is fixed in the latest version of
phppgadmin, which is due to be installed in the Debian FTP archive:

phppgadmin_5.0.3-1.debian.tar.gz
  to main/p/phppgadmin/phppgadmin_5.0.3-1.debian.tar.gz
phppgadmin_5.0.3-1.dsc
  to main/p/phppgadmin/phppgadmin_5.0.3-1.dsc
phppgadmin_5.0.3-1_all.deb
  to main/p/phppgadmin/phppgadmin_5.0.3-1_all.deb
phppgadmin_5.0.3.orig.tar.gz
  to main/p/phppgadmin/phppgadmin_5.0.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 644290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Berg <myon@debian.org> (supplier of updated phppgadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 05 Oct 2011 21:47:32 +0200
Source: phppgadmin
Binary: phppgadmin
Architecture: source all
Version: 5.0.3-1
Distribution: unstable
Urgency: low
Maintainer: Isaac Clerencia <isaac@debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description: 
 phppgadmin - web-based administration tool for PostgreSQL
Closes: 644290
Changes: 
 phppgadmin (5.0.3-1) unstable; urgency=low
 .
   * New upstream release, fixes XSS vulnerabilities.
     Closes: #644290, CVE-2011-3598.
Checksums-Sha1: 
 fe2527743edf131853e253a197813f734c0ed41f 1949 phppgadmin_5.0.3-1.dsc
 dcf3f3a580fce7e2ed8d57a6559a23b8b7c20417 1056396 phppgadmin_5.0.3.orig.tar.gz
 54a7a745842386650ae5a57735191e5320814a8f 10889 phppgadmin_5.0.3-1.debian.tar.gz
 4dc6a1c3bd15e97fbf53df5fff855c3c656c6479 1018752 phppgadmin_5.0.3-1_all.deb
Checksums-Sha256: 
 880e7e8b6a4a394aec9977109ea1490d6e170284fb86565ff9d76137072a5cce 1949 phppgadmin_5.0.3-1.dsc
 5cb6fc8b6bcf109d6919f99d875e4407f7b78fdcc3a1d92d9e76c99ed281a166 1056396 phppgadmin_5.0.3.orig.tar.gz
 8f1a725f0df4140a4e23389b0c7700be4b29ad0c26bd64663bc7a3ceea12c7ad 10889 phppgadmin_5.0.3-1.debian.tar.gz
 114ea51c0d518b6857638c5bce1c7366367b2179abfac807b8670f54decb9226 1018752 phppgadmin_5.0.3-1_all.deb
Files: 
 28513af558a8d4860c4682ce2cc2a3ac 1949 web extra phppgadmin_5.0.3-1.dsc
 885e18d4fc02805e479034c1e6c23c41 1056396 web extra phppgadmin_5.0.3.orig.tar.gz
 475ecf4b10b9a4a790511caaf143b444 10889 web extra phppgadmin_5.0.3-1.debian.tar.gz
 64df941fb7d39706528a6c1bbca781d5 1018752 web extra phppgadmin_5.0.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOjLfcAAoJEExaa6sS0qeuiHcP/RKtvTpEmjaRIH2vwBNZKBel
cMZ1iNKfpdrDzUuw/WotPxdEWNppQuOr4oxsZ6qFYx+YXjW6gzCQOT2mGo7pasp1
YQa4W/nPUbt0QFoxMR3Yhe+l7qeq84MI0v9Zfo+QSRV5Mc4UvCdtNmjG6+fzgk9F
o1ey7/3NhE6CrdQDsyXdi22VN+4E4xOmeVYtwjaI+ND9uDKfX7t4BIKJ+WlypGY5
OeFpWSTs7DvPkvf0O+yBk9bpQLoYa62zh6Ulu467nH7C8IFf4HfhuFD/hponKYAj
bGaS2KA51UkiNeMJYbhOS+aYAw9+gLHy1xUQpu/q4xWAWVVtvd+KY39rB3MLSbJy
LzIibN4P7M2Sv+qVXRS4wqBKe/sZnWG8aBdi6+7FBkkxfV2A4ZRoTxN8SFCVHE4j
aC7vFJDxoLybNoz9MF6X8XBk7++I/VQdMFnFarrmg9pJxeF630OzEq96xDMbzRdb
TmTbopL2IWVc0hI5tMGW15Iw98BSWo0TL7t78pLdO4WZyKtwftIZOJVaP/cbNe6d
rNyXULNYre8tfIQ2EBr5lpBQKxdJCww9Zy9iFcVaalWm+67e0E8UhdN8JZMNfB5s
3tCzbJt08VT5xKxQSqHvRDRtNp4HVrSR7pqVuGBeNJUwc+yAFPESEeLosRPjLBac
6AMGqij/8LX2QmZuZKWu
=kM1P
-----END PGP SIGNATURE-----

Message #13 received at 644290@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <myon@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>, 644290@bugs.debian.org

Subject: Re: phppgadmin multiple XSS (CVE-2011-3598)

Date: Mon, 10 Oct 2011 10:27:36 +0200

[Message part 1 (text/plain, inline)]

> Multiple XSS vulnerabilities have been reported in phpPgAdmin:
> https://secunia.com/advisories/46248/
> 
> Please ensure that unstable is fixed on short notice and give the upload
> an elevated urgency tag.

Hi,

unstable was fixed a few days ago, unfortunately without a bumped
urgency.

> Can you also assess whether (old)stable are affected, and if so, provide
> packages? If not (affected or able), do let us know aswell.
> 
> In any case, please mention CVE-2011-3598 in your changelogs.

https://secunia.com/advisories/46248/ says "prior versions" are
affected, so yes.

The relevant diff parts are:

diff -Nru phppgadmin-5.0.2/classes/Misc.php phppgadmin-5.0.3/classes/Misc.php
--- phppgadmin-5.0.2/classes/Misc.php	2011-01-03 20:22:26.000000000 +0100
+++ phppgadmin-5.0.3/classes/Misc.php	2011-10-03 09:37:22.000000000 +0200
@@ -398,7 +398,7 @@
 				echo "<link rel=\"shortcut icon\" href=\"images/themes/{$conf['theme']}/Favicon.ico\" type=\"image/vnd.microsoft.icon\" />\n";
 				echo "<link rel=\"icon\" type=\"image/png\" href=\"images/themes/{$conf['theme']}/Introduction.png\" />\n";
 				echo "<title>", htmlspecialchars($appName);
-				if ($title != '') echo " - {$title}";
+				if ($title != '') echo htmlspecialchars(" - {$title}");
 				echo "</title>\n";
 
 				if ($script) echo "{$script}\n";
diff -Nru phppgadmin-5.0.2/display.php phppgadmin-5.0.3/display.php
--- phppgadmin-5.0.2/display.php	2011-01-03 20:22:26.000000000 +0100
+++ phppgadmin-5.0.3/display.php	2011-10-03 09:37:22.000000000 +0200
@@ -572,7 +578,7 @@
 
 		// Return
 		if (isset($_REQUEST['return_url']) && isset($_REQUEST['return_desc']))
-			echo "\t<li><a href=\"{$_REQUEST['return_url']}\">{$_REQUEST['return_desc']}</a></li>\n";
+			echo "\t<li><a href=\"". htmlspecialchars($_REQUEST['return_url']) ."\">". htmlspecialchars($_REQUEST['return_desc']) ."</a></li>\n";
 
 		// Edit SQL link
 		if (isset($_REQUEST['query']))


Updated packages attached.

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/

[phppgadmin_4.2.2-1lenny1.diff.gz (application/octet-stream, attachment)]

[phppgadmin_4.2.2-1lenny1.dsc (text/plain, attachment)]

[phppgadmin_4.2.3-1.1squeeze1.debian.tar.gz (application/octet-stream, attachment)]

[phppgadmin_4.2.3-1.1squeeze1.dsc (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 644290@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Christoph Berg <myon@debian.org>, 644290@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: phppgadmin multiple XSS (CVE-2011-3598)

Date: Wed, 4 Jan 2012 18:19:56 +0100

On Mon, Oct 10, 2011 at 10:27:36AM +0200, Christoph Berg wrote:
> > Can you also assess whether (old)stable are affected, and if so, provide
> > packages? If not (affected or able), do let us know aswell.
> > 
> > In any case, please mention CVE-2011-3598 in your changelogs.
> 
> https://secunia.com/advisories/46248/ says "prior versions" are
> affected, so yes.
> 
> The relevant diff parts are:

Apparently this fell through the cracks. :-/

The impact of this issue is rather minor. Could you please fix this in 
the upcoming 6.0.4 point release for Squeeze?
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
        Moritz

Message #25 received at 644290@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <myon@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 644290@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Subject: Re: phppgadmin multiple XSS (CVE-2011-3598)

Date: Thu, 5 Jan 2012 10:00:43 +0100

[Message part 1 (text/plain, inline)]

Re: Moritz Muehlenhoff 2012-01-04 <20120104171956.GA4503@inutil.org>
> > > Can you also assess whether (old)stable are affected, and if so, provide
> > > packages? If not (affected or able), do let us know aswell.
> > > 
> > > In any case, please mention CVE-2011-3598 in your changelogs.
> > 
> > https://secunia.com/advisories/46248/ says "prior versions" are
> > affected, so yes.
> > 
> > The relevant diff parts are:
> 
> Apparently this fell through the cracks. :-/
> 
> The impact of this issue is rather minor. Could you please fix this in 
> the upcoming 6.0.4 point release for Squeeze?
> http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Hi,

I'm not sure I still have the squeeze/lenny packages I uploaded to
security-master. Could you push them to ftp-master?

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 644290@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Christoph Berg <myon@debian.org>, 644290@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Subject: Re: phppgadmin multiple XSS (CVE-2011-3598)

Date: Thu, 5 Jan 2012 19:28:46 +0100

On Thu, Jan 05, 2012 at 10:00:43AM +0100, Christoph Berg wrote:
> Re: Moritz Muehlenhoff 2012-01-04 <20120104171956.GA4503@inutil.org>
> > > > Can you also assess whether (old)stable are affected, and if so, provide
> > > > packages? If not (affected or able), do let us know aswell.
> > > > 
> > > > In any case, please mention CVE-2011-3598 in your changelogs.
> > > 
> > > https://secunia.com/advisories/46248/ says "prior versions" are
> > > affected, so yes.
> > > 
> > > The relevant diff parts are:
> > 
> > Apparently this fell through the cracks. :-/
> > 
> > The impact of this issue is rather minor. Could you please fix this in 
> > the upcoming 6.0.4 point release for Squeeze?
> > http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> 
> Hi,
> 
> I'm not sure I still have the squeeze/lenny packages I uploaded to
> security-master. Could you push them to ftp-master?

I don't see any trace of them on security-master, neither in the queue
nor in the morgue. Maybe they got rejected because they weren't build
with "-sa"? Annoyingly dak doesn't send the reject mail to the uploader.

Cheers,
        Moritz

Message #33 received at 644290@bugs.debian.org (full text, mbox, reply):

From: Christoph Berg <myon@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 644290@bugs.debian.org

Cc: team@security.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#644290: phppgadmin multiple XSS (CVE-2011-3598)

Date: Sat, 7 Jan 2012 19:49:27 +0100

[Message part 1 (text/plain, inline)]

Re: Moritz Mühlenhoff 2012-01-05 <20120105182845.GA3882@pisco.westfalen.local>
> On Thu, Jan 05, 2012 at 10:00:43AM +0100, Christoph Berg wrote:
> > Re: Moritz Muehlenhoff 2012-01-04 <20120104171956.GA4503@inutil.org>
> > > > > Can you also assess whether (old)stable are affected, and if so, provide
> > > > > packages? If not (affected or able), do let us know aswell.
> > > > > 
> > > > > In any case, please mention CVE-2011-3598 in your changelogs.
> > > > 
> > > > https://secunia.com/advisories/46248/ says "prior versions" are
> > > > affected, so yes.
> > > > 
> > > > The relevant diff parts are:
> > > 
> > > Apparently this fell through the cracks. :-/
> > > 
> > > The impact of this issue is rather minor. Could you please fix this in 
> > > the upcoming 6.0.4 point release for Squeeze?
> > > http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
> > 
> > Hi,
> > 
> > I'm not sure I still have the squeeze/lenny packages I uploaded to
> > security-master. Could you push them to ftp-master?
> 
> I don't see any trace of them on security-master, neither in the queue
> nor in the morgue. Maybe they got rejected because they weren't build
> with "-sa"? Annoyingly dak doesn't send the reject mail to the uploader.

Found them on the notebook. I've just uploaded them to ftp-master.

Release team: please consider including them in the next (old)stable
update.

Christoph
-- 
cb@df7cb.de | http://www.df7cb.de/

[signature.asc (application/pgp-signature, inline)]

Message #38 received at 644290@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Christoph Berg <myon@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 644290@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#644290: phppgadmin multiple XSS (CVE-2011-3598)

Date: Sat, 07 Jan 2012 19:38:52 +0000

On Sat, 2012-01-07 at 19:49 +0100, Christoph Berg wrote:
> Found them on the notebook. I've just uploaded them to ftp-master.
> 
> Release team: please consider including them in the next (old)stable
> update.

It would have been appreciated if you could have sent debdiffs first, as
per the Dev Ref etc.  In any case, now that they've been uploaded
they'll get processed in due course.

Regards,

Adam

Message #43 received at 644290@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Christoph Berg <myon@debian.org>

Cc: Moritz Mühlenhoff <jmm@inutil.org>, 644290@bugs.debian.org, team@security.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#644290: phppgadmin multiple XSS (CVE-2011-3598)

Date: Fri, 13 Jan 2012 10:22:17 +0000

On Sat, 2012-01-07 at 19:38 +0000, Adam D. Barratt wrote:
> On Sat, 2012-01-07 at 19:49 +0100, Christoph Berg wrote:
> > Found them on the notebook. I've just uploaded them to ftp-master.
> > 
> > Release team: please consider including them in the next (old)stable
> > update.
> 
> It would have been appreciated if you could have sent debdiffs first, as
> per the Dev Ref etc.  In any case, now that they've been uploaded
> they'll get processed in due course.

For the record, both lenny and squeeze packages have now been accepted;
thanks.

Regards,

Adam

Send a report that this bug log contains spam.