HTTP Response Splitting vulnerability

Debian Bug report logs - #339437
HTTP Response Splitting vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michal Čihař <michal@cihar.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: HTTP Response Splitting vulnerability

Date: Wed, 16 Nov 2005 11:23:21 +0100

Package: phpmyadmin
Version: 4:2.6.4-pl3-1
Severity: grave
Tags: security

Hi

I'm not sure if you're aware of new security issue found in phpMyAdmin:

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6

I know it's too young to be already in archives, however I just want to
notify you.

-- 
    Michal Čihař | http://cihar.com


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.14-raptor
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages phpmyadmin depends on:
ii  apache2-mpm-prefork [httpd]   2.0.55-3   traditional model for Apache2
ii  debconf [debconf-2.0]         1.4.59     Debian configuration management sy
ii  php5-cgi                      5.0.5-3    server-side, HTML-embedded scripti
ii  php5-mysql                    5.0.5-3    MySQL module for php5
ii  ucf                           2.003      Update Configuration File: preserv

Versions of packages phpmyadmin recommends:
pn  php4-mcrypt | php5-mcrypt     <none>     (no description available)

-- debconf information:
* phpmyadmin/reconfigure-webserver: apache2
* phpmyadmin/restart-webserver: true

Message #10 received at 339437@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>

To: Michal Čihař <michal@cihar.com>, 339437@bugs.debian.org

Subject: Re: Bug#339437: HTTP Response Splitting vulnerability

Date: Wed, 16 Nov 2005 12:19:01 +0100

Dnia Wednesday 16 of November 2005 11:23, Michal Čihař napisał:
> I'm not sure if you're aware of new security issue found in phpMyAdmin:
>
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6
>
> I know it's too young to be already in archives, however I just want to
> notify you.

Yes, I know. The issue was dicussed on debian-security. The register_globals 
is disabled in Debian's phpmyadmin package by default so the bug is no such 
critical at the moment.

New version will be available for sid and sarge ASAP.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-

Message #19 received at 339437@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>

To: Martin Schulze <joey@infodrom.org>

Cc: Debian Security Team <team@security.debian.org>, 339437@bugs.debian.org

Subject: Re: PMASA-2005-6 when "register_globals = on"

Date: Wed, 16 Nov 2005 18:08:30 +0100

[Message part 1 (text/plain, inline)]

Dnia Wednesday 16 of November 2005 13:17, Martin Schulze napisał:
> > Vuln 1:
> > Full Path Disclosures in the following files:
>
> > Vuln 2:
> > Http Response Splitting in libraries/header_http.inc.php
>
> Do you know if this is the same vulnerability as the first one above?

The Full Path Disclosure is not fixed currently by upstream and I think it is 
not important for Debian version.

I'm attaching the patch for sarge.

Additionaly, I've fixed the important bug #324318. Please, include the patch 
for this bug to stable release. The patch doesn't change program 
functionality and resolve more problems with bad configration file which are 
not reported to BTS.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-

[phpmyadmin-4:2.6.2-3sarge1-3sarge2.diff (text/x-diff, attachment)]

Message #24 received at 339437-close@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <dexter@debian.org>

To: 339437-close@bugs.debian.org

Subject: Bug#339437: fixed in phpmyadmin 4:2.6.4-pl4-1

Date: Wed, 16 Nov 2005 14:47:15 -0800

Source: phpmyadmin
Source-Version: 4:2.6.4-pl4-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.6.4-pl4-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-1.diff.gz
phpmyadmin_2.6.4-pl4-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-1.dsc
phpmyadmin_2.6.4-pl4-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-1_all.deb
phpmyadmin_2.6.4-pl4.orig.tar.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 339437@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 16 Nov 2005 13:10:14 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl4-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description: 
 phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 324318 339437
Changes: 
 phpmyadmin (4:2.6.4-pl4-1) unstable; urgency=high
 .
   * New upstream release.
   * Security fix: HTTP Response Splitting vulnerability.
     See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6
     See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3621
     Closes: #339437.
   * New 105-bug_debian_324318.patch:
     - Always set the default configuration values, even if the config.inc.php
       file seems to be up to date. This fix allows to utilise more than three
       databases. Closes: #324318.
Files: 
 2a07cfd00911c40363b72355cd869b89 646 web extra phpmyadmin_2.6.4-pl4-1.dsc
 4dcc7722547d8164078a76156a193905 2777887 web extra phpmyadmin_2.6.4-pl4.orig.tar.gz
 f07a34fc93b97f07d05014d20d7045db 31816 web extra phpmyadmin_2.6.4-pl4-1.diff.gz
 349d14bc99a2d5244420539aad400955 2900418 web extra phpmyadmin_2.6.4-pl4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDe6iyhMHHe8CxClsRAtkiAKCyIZ3AAdIeqomGzUdKGxTJElPA6ACfaVn9
58LgJA0IU1SFelRIjdExPQI=
=Sc5a
-----END PGP SIGNATURE-----

Message #29 received at 339437@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>

Cc: Debian Security Team <team@security.debian.org>, 339437@bugs.debian.org

Subject: Re: PMASA-2005-6 when "register_globals = on"

Date: Thu, 17 Nov 2005 10:22:43 +0100

Piotr Roszatycki wrote:
> Dnia Wednesday 16 of November 2005 13:17, Martin Schulze napisa?:
> > > Vuln 1:
> > > Full Path Disclosures in the following files:
> >
> > > Vuln 2:
> > > Http Response Splitting in libraries/header_http.inc.php
> >
> > Do you know if this is the same vulnerability as the first one above?
> 
> The Full Path Disclosure is not fixed currently by upstream and I think it is 
> not important for Debian version.
> 
> I'm attaching the patch for sarge.

Thanks a lot.  I'm reviewing now.

> Additionaly, I've fixed the important bug #324318. Please, include the patch 
> for this bug to stable release. The patch doesn't change program 
> functionality and resolve more problems with bad configration file which are 
> not reported to BTS.

Please explain why it should be fixed in stable.

Please explain why it should be fixed in a security update.

At the moment, I'm not convinced it is something else than a normal
bug, not even a critical one.

Regards,

	Joey

-- 
Of course, I didn't mean that, which is why I didn't say it.
What I meant to say, I said.              -- Thomas Bushnell

Please always Cc to me when replying to me on the lists.

Message #34 received at 339437@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>

To: Martin Schulze <joey@infodrom.org>, 339437@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#339437: PMASA-2005-6 when "register_globals = on"

Date: Thu, 17 Nov 2005 12:36:19 +0100

Dnia Thursday 17 of November 2005 10:22, Martin Schulze napisał:
> > Additionaly, I've fixed the important bug #324318. Please, include the
> > patch for this bug to stable release. The patch doesn't change program
> > functionality and resolve more problems with bad configration file which
> > are not reported to BTS.
>
> Please explain why it should be fixed in stable.
>
> Please explain why it should be fixed in a security update.
>
> At the moment, I'm not convinced it is something else than a normal
> bug, not even a critical one.

The application does not work if more than 3 databases are used. I think it is 
not just normal bug if more advanced environment is used. It is important 
problem because it is no easy way to diagnose it.

The workaround is possible, so at least please modify README.Debian file to 
inform the users how to override the problem.


--- README.Debian.orig  2005-11-16 22:38:26.000000000 +0100
+++ README.Debian       2005-11-17 12:28:14.000000000 +0100
@@ -15,6 +15,22 @@
   if there is no error message and you are returned to the login prompt.


+PROBLEM WITH MORE THAT THREE DATABASES
+
+  Only three first databases declared in /etc/phpmyadmin/config.inc.php are
+  working.  If you define fourth database, it fails with message "Access
+  denied".  See Bug#324318.
+
+  You can include
+
+    $cfg['Servers'][$i]['compress']        = FALSE;
+    $cfg['Servers'][$i]['controluser']     = '';
+    $cfg['Servers'][$i]['controlpass']     = ''
+    $cfg['Servers'][$i]['AllowRoot']       = TRUE;
+
+  to each database entry in config.inc.php file as a workaround.
+
+
 CONFIGURATION

   The package installs symlink into /var/www directory. You can also add

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-

Message #39 received at 339437@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 339437@bugs.debian.org, 340438@bugs.debian.org, 362567@bugs.debian.org, 368082@bugs.debian.org

Cc: control@bugs.debian.org, team@security.debian.org

Subject: phpMyAdmin security vulnerabilities for sarge

Date: Thu, 03 Aug 2006 13:22:37 +0200

[Message part 1 (text/plain, inline)]

close 360726 4:2.6.2-3sarge1
thanks

Hello All,

I've checked out all open CVE's with respect to sarge. All are already
fixed in sid. I've prepared a package that fixes the ones that are
relevant. See the breakdown here:

> CVE-2005-3621   CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows ...

Vulnerable, fixed in update.

> CVE-2005-3665   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

Vulnerable, fixed in update.

> CVE-2005-3787   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

This was all already fixed in 4:2.6.2-3sarge1.

> CVE-2006-1258   Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows ...

Code not present in sarge - can be marked as not vulnerable.

> CVE-2006-1678   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

Vulnerable, fixed in update.

> CVE-2006-1803   Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin ...

Can not reproduce and in suggested to be a false duplicate of
CVE-2006-1804. I'm considering this one to be not vulnerable in sarge.

> CVE-2006-1804   XSRF SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows ...

Our sarge version doesn't have the whole XSRF-countering-mechanism so
this requires major code overhauls to address. XSRF is very common in
webapps and not easily fixed; it's doubtful if it's at all fixable.

> CVE-2006-2031   Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin ...

Not vulnerable, code not present in sarge.

> CVE-2006-2417   Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before ...

Not vulnerable, code not present in sarge.

> CVE-2006-2418   Cross-site scripting (XSS) vulnerabilities in certain versions of ...

Vulnerable, fixed in update.

> CVE-2006-3388   Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 ...

Not vulnerable, code not present in sarge.

I've prepared an updated package, it can be found here:
http://www.a-eskwadraat.nl/~kink/debian/

Please let me know if it's ok and I'll upload it to the security
archive.


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 339437@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 339437@bugs.debian.org, 340438@bugs.debian.org, 362567@bugs.debian.org, 368082@bugs.debian.org, team@security.debian.org

Subject: Re: phpMyAdmin security vulnerabilities for sarge

Date: Mon, 7 Aug 2006 20:48:12 +0200

On Thu, Aug 03, 2006 at 01:22:37PM +0200, Thijs Kinkhorst wrote:
> close 360726 4:2.6.2-3sarge1
> thanks
> 
> Hello All,
> 
> I've checked out all open CVE's with respect to sarge. All are already
> fixed in sid. I've prepared a package that fixes the ones that are
> relevant. See the breakdown here:

Thanks a lot for your work.

> I've prepared an updated package, it can be found here:
> http://www.a-eskwadraat.nl/~kink/debian/
> 
> Please let me know if it's ok and I'll upload it to the security
> archive.

Please
- drop all po i18n updates
- fix indendation of the phpmyadmin-2.6.2/libraries/header_http.inc.php changes
  for CVE-2005-3621
- raise the version number to sarge3, we have an unsuitable sarge2 in the
  security queue (you couldn't know that and I forgot to tell you in advance,
  sorry)

The security fixes look all good.

Cheers,
        Moritz

Send a report that this bug log contains spam.