phpmyadmin: CVE-2006-3388: cross-site scripting

Debian Bug report logs - #377748
phpmyadmin: CVE-2006-3388: cross-site scripting

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: phpmyadmin: CVE-2006-3388: cross-site scripting

Date: Mon, 10 Jul 2006 21:20:44 -0400

Package: phpmyadmin
Version: 4:2.8.1-1 4:2.6.2-3sarge1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3388: "Cross-site scripting (XSS) vulnerability in phpMyAdmin
before 2.8.2 allows remote attackers to inject arbitrary web script or
HTML via the table parameter."

This is PMASA-2006-4.  The original advisory [1] is very low on details
and simply recommends upgrading to 2.8.2, but this issue appears to also
affect sarge.  Judging from the changelog for 2.8.2 [2], I believe the
fix is in two commits to libraries/common.lib.php, r2.266.2.26 and
r2.266.2.27.  The diff for those commits is [3].

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://www.securityfocus.com/archive/1/archive/1/438870/100/0/threaded
[2] http://phpmyadmin.cvs.sourceforge.net/phpmyadmin/phpMyAdmin/ChangeLog?view=markup&pathrev=RELEASE_2_8_2
[3] http://phpmyadmin.cvs.sourceforge.net/phpmyadmin/phpMyAdmin/libraries/common.lib.php?r1=2.266.2.27&r2=2.266.2.25&pathrev=RELEASE_2_8_2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEsvzsAud/2YgchcQRArP5AJ0Xw0bkKHu1yZqGT0R4uWIGjLSWtACfTo9/
PH5Kv7UUGtTNt+bIVHEFfhA=
=Lj2y
-----END PGP SIGNATURE-----

Message #12 received at 377748-done@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sesse@debian.org>

To: 377748-done@bugs.debian.org

Subject: Re: Fixed in NMU of phpmyadmin 4:2.8.2-0.1

Date: Tue, 18 Jul 2006 13:25:52 +0200

Version: 4:2.8.2-0.1

I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:

>  phpmyadmin (4:2.8.2-0.1) unstable; urgency=high
>  .
>    * Non-maintainer upload.
>    * New upstream release.
>      * Fixes cross-site-scripting issues. [CVE-2006-3388] (Closes: #377748)

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Message #17 received at 377748-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 377748-close@bugs.debian.org

Subject: Bug#377748: fixed in phpmyadmin 4:2.9.0.2-1

Date: Wed, 11 Oct 2006 07:02:31 -0700

Source: phpmyadmin
Source-Version: 4:2.9.0.2-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.9.0.2-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.0.2-1.diff.gz
phpmyadmin_2.9.0.2-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.0.2-1.dsc
phpmyadmin_2.9.0.2-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.0.2-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 377748@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 11 Oct 2006 14:46:37 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.9.0.2-1
Distribution: unstable
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpmyadmin - Administrate MySQL over the WWW
Closes: 357972 374918 377748 378681 382139 385365 385889 390484 391090
Changes: 
 phpmyadmin (4:2.9.0.2-1) unstable; urgency=low
 .
   * New maintainer, thanks Piotr for your previous work!
   * Acknowledge NMU's, thanks Steinar! (Closes: #378681)
   * Fix typo in debconf templates and unfuzzy that.
   * Tweak package description.
 .
 phpmyadmin (4:2.9.0.2-0.1) unstable; urgency=high
 .
   * Non-maintainer upload with maintainer consent.
   * Upgrade to latest upstream version to battle cross-site
     request forgery (PMASA-2006-5, CVE-2006-5116, CVE-2006-5117,
     closes: 391090).
   * New upstream also fixes broken database export functionality
     (closes: 374918) and database/table copy (closes: 390484).
   * Update translations:
     - Danish by Claus Hindsgaul (Closes: 357972).
     - Italian by Luca Monducci (Closes: 382139).
     - Spanish by Nacho Barrientos Arias (Closes: 385365).
 .
 phpmyadmin (4:2.8.2-0.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix issue with /var/www pointing to /usr/share/phpmyadmin.
     (Closes: #385889)
     * Make sure we install /var/www as a directory, since we make a symlink into
       it and we can't rely on it being there.
     * Explicitly link to /var/www/phpmyadmin instead of /var/www, to make sure
       we don't make a new /var/www even if it should be removed for some
       reason.
 .
 phpmyadmin (4:2.8.2-0.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * New upstream release.
     * Fixes cross-site-scripting issues. [CVE-2006-3388] (Closes: #377748)
Files: 
 f04e499e4cd8bbea1bf9acd2c3ebc536 638 web extra phpmyadmin_2.9.0.2-1.dsc
 e8776c4ec0bccaffadad0066caf42473 40920 web extra phpmyadmin_2.9.0.2-1.diff.gz
 cc3dcd590a8c9f949089f992e3ddf138 3565720 web extra phpmyadmin_2.9.0.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFLPdHJdKMxZV9WM8RAkoXAKC5yeAli535YE6DyeYT7uoRXN2PhQCfZRwJ
vi6KjjqmUL/8iGQJNHxekrA=
=7C5P
-----END PGP SIGNATURE-----

Message #22 received at 377748@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: team@security.debian.org

Cc: 377748@bugs.debian.org

Subject: Further analysis of phpMyAdmin bugs

Date: Mon, 06 Nov 2006 23:33:05 +0100

Hi,

I've continued my work to sift through phpMyAdmin issues to see what
applies to sarge and what needs to be fixed, here's another round.


CVE-2006-5116: Multiple cross-site request forgeries.
CVE-2006-3388: PMASA-2006-4: 377748: Cross site scripting.

This deals with refinements to the cross site request forgery
countering-infrastructure that has been introduced in 2.8.x. We don't
have that infrastructure in sarge and if I recall correctly there was
agreement that backporting pervasive changes for this goal was not
feasible. Especially since the whole concept of XSRF and whether it's
resolvable through phpMyAdmin's method or in general is doubtful in
nature if you ask me. I propose to leave these two alone for sarge.

CVE-2006-5117: Libraries under web root. I cannot find much detail about
this, but upstream CVS indicates that the solution is tightening a
.htaccess file in that dir. From reading advisories, I get no more
exploitability than "path disclosure" which is of course moot in Debian.
I propose to leave this item for sarge.


(a fixed package will follow for the other issues)


Thijs

Send a report that this bug log contains spam.