Debian Bug report logs -
#446451
phpmyadmin: CVE-2007-5386 XSS vulnerability
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 13 Oct 2007 05:21:02 UTC
Severity: grave
Tags: security
Fixed in versions phpmyadmin/4:2.11.1.2-1, phpmyadmin/4:2.9.1.1-6
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Thijs Kinkhorst <thijs@debian.org>
:
Bug#446451
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Thijs Kinkhorst <thijs@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpmyadmin
Severity: grave
Tags: security
Justification: user security hole
Hi
The following CVE[0] has been issued against phpmyadmin.
You can find a patch below.
CVE-2007-5386:
Cross-site scripting (XSS) vulnerability in scripts/setup.php
in phpMyAdmin 2.11.1, when accessed by a browser that does
not URL-encode requests, allows remote attackers to inject
arbitrary web script or HTML via the query string. NOTE: some
of these details are obtained from third party information.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5386
diff -u phpmyadmin-2.11.1/debian/changelog phpmyadmin-2.11.1/debian/changelog
--- phpmyadmin-2.11.1/debian/changelog
+++ phpmyadmin-2.11.1/debian/changelog
@@ -1,3 +1,11 @@
+phpmyadmin (4:2.11.1-1.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team
+ * Include upstream patch for XSS vulnerability in scripts/setup.php
+ Fixes: CVE-2007-5386
+
+ -- Steffen Joeris <white@debian.org> Sat, 13 Oct 2007 05:12:44 +0000
+
phpmyadmin (4:2.11.1-1) unstable; urgency=low
* New upstream release.
diff -u phpmyadmin-2.11.1/debian/patches/00list phpmyadmin-2.11.1/debian/patches/00list
--- phpmyadmin-2.11.1/debian/patches/00list
+++ phpmyadmin-2.11.1/debian/patches/00list
@@ -3,0 +4 @@
+041-CVE-2007-5386
only in patch4:
unchanged:
--- phpmyadmin-2.11.1.orig/debian/patches/041-CVE-2007-5386.dpatch
+++ phpmyadmin-2.11.1/debian/patches/041-CVE-2007-5386.dpatch
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2007-5386
+
+@DPATCH@
+
+--- ../old/phpmyadmin-2.11.1/scripts/setup.php 2007-09-20 16:35:14.000000000 +0000
++++ phpmyadmin-2.11.1/scripts/setup.php 2007-10-13 05:10:49.000000000 +0000
+@@ -1951,7 +1951,10 @@
+ if (empty($_SERVER['REQUEST_URI']) || empty($_SERVER['HTTP_HOST'])) {
+ $redir = '';
+ } else {
+- $redir = ' If your server is also configured to accept HTTPS request follow <a href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '">this link</a> to use secure connection.';
++ $redir = ' If your server is also configured to accept HTTPS request'
++ . ' follow <a href="https://'
++ . htmlspecialchars($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
++ . '">this link</a> to use secure connection.';
+ }
+ message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection');
+ }
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#446451
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 446451@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 446451 moreinfo
thanks
Hi Steffen,
On Saturday 13 October 2007 07:26, Steffen Joeris wrote:
> Cross-site scripting (XSS) vulnerability in scripts/setup.php
> in phpMyAdmin 2.11.1, when accessed by a browser that does
> not URL-encode requests, allows remote attackers to inject
> arbitrary web script or HTML via the query string. NOTE: some
> of these details are obtained from third party information.
I've seen this fix in upstream SVN but couldn't think of a case where this is
exploitable by anyone than the user himself. I will look into it but I'm not
sure that this is a grave issue. A concrete exploit scenario is welcome.
Thijs
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#446451
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Michal Čihař <nijel@debian.org>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(full text, mbox, link).
Message #15 received at 446451@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
On Tue, 16 Oct 2007 08:24:57 +0200
Thijs Kinkhorst <thijs@debian.org> wrote:
> tags 446451 moreinfo
> thanks
>
> Hi Steffen,
>
> On Saturday 13 October 2007 07:26, Steffen Joeris wrote:
> > Cross-site scripting (XSS) vulnerability in scripts/setup.php
> > in phpMyAdmin 2.11.1, when accessed by a browser that does
> > not URL-encode requests, allows remote attackers to inject
> > arbitrary web script or HTML via the query string. NOTE: some
> > of these details are obtained from third party information.
>
> I've seen this fix in upstream SVN but couldn't think of a case where this is
> exploitable by anyone than the user himself. I will look into it but I'm not
> sure that this is a grave issue. A concrete exploit scenario is welcome.
And it looks to be exploitable only with MSIE with disabled UTF-8 urls.
BTW: There will be yet another XSS fixed soon (already fixed in SVN,
release will probably happen today), so you should probably wait with
uploading new version :-).
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
[signature.asc (application/pgp-signature, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#446451
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(full text, mbox, link).
Message #20 received at 446451@bugs.debian.org (full text, mbox, reply):
severity 446451 normal
thanks
On Tue, October 16, 2007 09:40, Michal ÄihaÅ wrote:
> And it looks to be exploitable only with MSIE with disabled UTF-8 urls.
Yeah... which is not the default. Only exploitable with a specific browser
with a specific environment is quite obscure.
> BTW: There will be yet another XSS fixed soon (already fixed in SVN,
> release will probably happen today), so you should probably wait with
> uploading new version :-).
For stable, I propose to not release a DSA for this issue (CVE-2007-5386)
specifically. If a DSA is needed in the future for another issue we can
include the fix then while we're at it.
I'll follow Michals advice for waiting for the new upstream before taking
more action here. It's not urgent currently.
Thijs
Reply sent to Thijs Kinkhorst <thijs@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 446451-close@bugs.debian.org (full text, mbox, reply):
Source: phpmyadmin
Source-Version: 4:2.11.1.2-1
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.11.1.2-1.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2-1.diff.gz
phpmyadmin_2.11.1.2-1.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2-1.dsc
phpmyadmin_2.11.1.2-1_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2-1_all.deb
phpmyadmin_2.11.1.2.orig.tar.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 446451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 17 Oct 2007 22:54:41 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.11.1.2-1
Distribution: unstable
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
phpmyadmin - Administrate MySQL over the WWW
Closes: 446451
Changes:
phpmyadmin (4:2.11.1.2-1) unstable; urgency=high
.
* New upstream release.
* Addresses two cross site scripting issues:
PMASA-2007-5, PMASA-2007-6
(CVE-2007-5386, closes: #446451)
Files:
85ff8bf04def7bf82c0eac6d1e4b5514 1113 web extra phpmyadmin_2.11.1.2-1.dsc
f7e79d86aa0a8c013d7dd6feb034808e 2855597 web extra phpmyadmin_2.11.1.2.orig.tar.gz
9a816c698e9f16ece572c5c99868c1ff 31622 web extra phpmyadmin_2.11.1.2-1.diff.gz
e2a2cb9133c373e1ce87efdad624e225 2856572 web extra phpmyadmin_2.11.1.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRxZ372z0hbPcukPfAQK8FAf/WzxDac8CsIPgLe5iGmVuDj3wBeo1b3zc
pM7kz8lFbmz6IidCac+6trMtwA7DyYLh0YI1YjiZXN3LR1c0f4lEFvJDkSuk7kpu
w5NFtY3sueM1svjgN/zvopdx9VHd95ZarG6jFMHiHYkxMYxQMFt52EBatderNkcZ
LVgEVVJ7A8lToieIWQ6V+qtXJu4HmGkbnMi71fJWkYmUGDD6eF3bAk23H4mllc4b
Z7P1kLDAaS2BEpjXneSMe8AdJFfo6kZcZYHMLWyw5/rzgt3MADxQqsvdeWXolJZM
3iMeVOzRKb6fweNH2FID6CmpAbJ9/FgPqx8IEuxxofEO0Fi4DIWKgw==
=eXug
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #30 received at 446451-close@bugs.debian.org (full text, mbox, reply):
Source: phpmyadmin
Source-Version: 4:2.9.1.1-6
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.9.1.1-6.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-6.diff.gz
phpmyadmin_2.9.1.1-6.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-6.dsc
phpmyadmin_2.9.1.1-6_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 446451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 7 Nov 2007 14:41:34 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.9.1.1-6
Distribution: stable-security
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
phpmyadmin - Administrate MySQL over the WWW
Closes: 446451
Changes:
phpmyadmin (4:2.9.1.1-6) stable-security; urgency=high
.
* Update for etch to address a security issue.
* Cross-site scripting (XSS) vulnerability in scripts/setup.php in
phpMyAdmin 2.11.1, when accessed by a browser that does not
URL-encode requests, allows remote attackers to inject arbitrary
web script or HTML via the query string.
(CVE-2007-5386, PMASA-2007-5, closes: #446451)
.
phpmyadmin (4:2.9.1.1-5) stable-security; urgency=high
.
* Update for etch to address a security issue.
* Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
common.lib.php in libraries/; and certain input available in PHP_SELF and
(2) PATH_INFO in libraries/common.inc.php.
(CVE-2007-5589, PMASA-2007-6)
Files:
130531a7ffe3fd67421985abc0d7e3c1 1011 web extra phpmyadmin_2.9.1.1-6.dsc
0ea3fc9730fb32d1587e0757d3fbee25 49749 web extra phpmyadmin_2.9.1.1-6.diff.gz
be23322772089af7b429c01b65fe1469 3606276 web extra phpmyadmin_2.9.1.1-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRzHCuGz0hbPcukPfAQJIJAgAinZVcf8SLMIy1ILBbr2EYeuhsOf4eJ1R
5cfdEYjDxDBPtag+WTr0BH3kSuej5iYTCjwh4JxE1z7DtAc5YdDT70XN/iELk6WO
6Usmx8xhC3PtwOxGyjxoAk9yKygshlWk7oRmM6sqMqIYPmzVzAV8W/jpzRadVt7z
1HIAuJGLXc0sjwFCazUVHheaALf/e4vSKcO2EHRVK/+djo5/Ef9RwuffMdr0owFW
QbsO3/ni/VrhNscpfLMhUxdGNd3I1YtDjFcO1vU3Fl4oOSZUksIl3PD7xSue8jEf
SpUaXZ167Edi5A1LEEWUgDefsWTL9MpS+V+ZEcKm3sRJ0wu1+Pk21Q==
=BKhS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 16 Jan 2008 07:29:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:49:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.