phpmyadmin: CVE-2007-5386 XSS vulnerability

Debian Bug report logs - #446451
phpmyadmin: CVE-2007-5386 XSS vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: phpmyadmin: CVE-2007-5386 XSS vulnerability

Date: Sat, 13 Oct 2007 15:26:54 +1000

Package: phpmyadmin
Severity: grave
Tags: security
Justification: user security hole


Hi

The following CVE[0] has been issued against phpmyadmin.
You can find a patch below.

CVE-2007-5386:

Cross-site scripting (XSS) vulnerability in scripts/setup.php
in phpMyAdmin 2.11.1, when accessed by a browser that does 
not URL-encode requests, allows remote attackers to inject 
arbitrary web script or HTML via the query string. NOTE: some 
of these details are obtained from third party information.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5386


diff -u phpmyadmin-2.11.1/debian/changelog phpmyadmin-2.11.1/debian/changelog
--- phpmyadmin-2.11.1/debian/changelog
+++ phpmyadmin-2.11.1/debian/changelog
@@ -1,3 +1,11 @@
+phpmyadmin (4:2.11.1-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Include upstream patch for XSS vulnerability in scripts/setup.php
+    Fixes: CVE-2007-5386
+
+ -- Steffen Joeris <white@debian.org>  Sat, 13 Oct 2007 05:12:44 +0000
+
 phpmyadmin (4:2.11.1-1) unstable; urgency=low

   * New upstream release.
diff -u phpmyadmin-2.11.1/debian/patches/00list phpmyadmin-2.11.1/debian/patches/00list
--- phpmyadmin-2.11.1/debian/patches/00list
+++ phpmyadmin-2.11.1/debian/patches/00list
@@ -3,0 +4 @@
+041-CVE-2007-5386
only in patch4:
unchanged:
--- phpmyadmin-2.11.1.orig/debian/patches/041-CVE-2007-5386.dpatch
+++ phpmyadmin-2.11.1/debian/patches/041-CVE-2007-5386.dpatch
@@ -0,0 +1,21 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fix CVE-2007-5386
+
+@DPATCH@
+
+--- ../old/phpmyadmin-2.11.1/scripts/setup.php 2007-09-20 16:35:14.000000000 +0000
++++ phpmyadmin-2.11.1/scripts/setup.php        2007-10-13 05:10:49.000000000 +0000
+@@ -1951,7 +1951,10 @@
+             if (empty($_SERVER['REQUEST_URI']) || empty($_SERVER['HTTP_HOST'])) {
+                 $redir = '';
+             } else {
+-                $redir = ' If your server is also configured to accept HTTPS request follow <a href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '">this link</a> to use secure connection.';
++                $redir = ' If your server is also configured to accept HTTPS request'
++              . ' follow <a href="https://'
++              . htmlspecialchars($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
++              . '">this link</a> to use secure connection.';
+             }
+             message('warning', 'You are not using secure connection, all data (including sensitive, like passwords) are transfered unencrypted!' . $redir, 'Not secure connection');
+         }

Message #10 received at 446451@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 446451@bugs.debian.org

Subject: Re: Bug#446451: phpmyadmin: CVE-2007-5386 XSS vulnerability

Date: Tue, 16 Oct 2007 08:24:57 +0200

[Message part 1 (text/plain, inline)]

tags 446451 moreinfo
thanks

Hi Steffen,

On Saturday 13 October 2007 07:26, Steffen Joeris wrote:
> Cross-site scripting (XSS) vulnerability in scripts/setup.php
> in phpMyAdmin 2.11.1, when accessed by a browser that does
> not URL-encode requests, allows remote attackers to inject
> arbitrary web script or HTML via the query string. NOTE: some
> of these details are obtained from third party information.

I've seen this fix in upstream SVN but couldn't think of a case where this is 
exploitable by anyone than the user himself. I will look into it but I'm not 
sure that this is a grave issue. A concrete exploit scenario is welcome.



Thijs

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 446451@bugs.debian.org (full text, mbox, reply):

From: Michal Čihař <nijel@debian.org>

To: Thijs Kinkhorst <thijs@debian.org>, 446451@bugs.debian.org

Cc: Steffen Joeris <steffen.joeris@skolelinux.de>

Subject: Re: Bug#446451: phpmyadmin: CVE-2007-5386 XSS vulnerability

Date: Tue, 16 Oct 2007 16:40:38 +0900

[Message part 1 (text/plain, inline)]

Hi

On Tue, 16 Oct 2007 08:24:57 +0200
Thijs Kinkhorst <thijs@debian.org> wrote:

> tags 446451 moreinfo
> thanks
> 
> Hi Steffen,
> 
> On Saturday 13 October 2007 07:26, Steffen Joeris wrote:
> > Cross-site scripting (XSS) vulnerability in scripts/setup.php
> > in phpMyAdmin 2.11.1, when accessed by a browser that does
> > not URL-encode requests, allows remote attackers to inject
> > arbitrary web script or HTML via the query string. NOTE: some
> > of these details are obtained from third party information.
> 
> I've seen this fix in upstream SVN but couldn't think of a case where this is 
> exploitable by anyone than the user himself. I will look into it but I'm not 
> sure that this is a grave issue. A concrete exploit scenario is welcome.

And it looks to be exploitable only with MSIE with disabled UTF-8 urls.

BTW: There will be yet another XSS fixed soon (already fixed in SVN,
release will probably happen today), so you should probably wait with
uploading new version :-).

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 446451@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: Michal Čihař <nijel@debian.org>

Cc: 446451@bugs.debian.org, "Steffen Joeris" <steffen.joeris@skolelinux.de>

Subject: Re: Bug#446451: phpmyadmin: CVE-2007-5386 XSS vulnerability

Date: Tue, 16 Oct 2007 10:31:21 +0200 (CEST)

severity 446451 normal
thanks

On Tue, October 16, 2007 09:40, Michal Čihař wrote:
> And it looks to be exploitable only with MSIE with disabled UTF-8 urls.

Yeah... which is not the default. Only exploitable with a specific browser
with a specific environment is quite obscure.

> BTW: There will be yet another XSS fixed soon (already fixed in SVN,
> release will probably happen today), so you should probably wait with
> uploading new version :-).

For stable, I propose to not release a DSA for this issue (CVE-2007-5386)
specifically. If a DSA is needed in the future for another issue we can
include the fix then while we're at it.

I'll follow Michals advice for waiting for the new upstream before taking
more action here. It's not urgent currently.


Thijs

Message #25 received at 446451-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 446451-close@bugs.debian.org

Subject: Bug#446451: fixed in phpmyadmin 4:2.11.1.2-1

Date: Wed, 17 Oct 2007 21:17:03 +0000

Source: phpmyadmin
Source-Version: 4:2.11.1.2-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.11.1.2-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2-1.diff.gz
phpmyadmin_2.11.1.2-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2-1.dsc
phpmyadmin_2.11.1.2-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2-1_all.deb
phpmyadmin_2.11.1.2.orig.tar.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.11.1.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 446451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 17 Oct 2007 22:54:41 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.11.1.2-1
Distribution: unstable
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpmyadmin - Administrate MySQL over the WWW
Closes: 446451
Changes: 
 phpmyadmin (4:2.11.1.2-1) unstable; urgency=high
 .
   * New upstream release.
   * Addresses two cross site scripting issues:
     PMASA-2007-5, PMASA-2007-6
     (CVE-2007-5386, closes: #446451)
Files: 
 85ff8bf04def7bf82c0eac6d1e4b5514 1113 web extra phpmyadmin_2.11.1.2-1.dsc
 f7e79d86aa0a8c013d7dd6feb034808e 2855597 web extra phpmyadmin_2.11.1.2.orig.tar.gz
 9a816c698e9f16ece572c5c99868c1ff 31622 web extra phpmyadmin_2.11.1.2-1.diff.gz
 e2a2cb9133c373e1ce87efdad624e225 2856572 web extra phpmyadmin_2.11.1.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRxZ372z0hbPcukPfAQK8FAf/WzxDac8CsIPgLe5iGmVuDj3wBeo1b3zc
pM7kz8lFbmz6IidCac+6trMtwA7DyYLh0YI1YjiZXN3LR1c0f4lEFvJDkSuk7kpu
w5NFtY3sueM1svjgN/zvopdx9VHd95ZarG6jFMHiHYkxMYxQMFt52EBatderNkcZ
LVgEVVJ7A8lToieIWQ6V+qtXJu4HmGkbnMi71fJWkYmUGDD6eF3bAk23H4mllc4b
Z7P1kLDAaS2BEpjXneSMe8AdJFfo6kZcZYHMLWyw5/rzgt3MADxQqsvdeWXolJZM
3iMeVOzRKb6fweNH2FID6CmpAbJ9/FgPqx8IEuxxofEO0Fi4DIWKgw==
=eXug
-----END PGP SIGNATURE-----

Message #30 received at 446451-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 446451-close@bugs.debian.org

Subject: Bug#446451: fixed in phpmyadmin 4:2.9.1.1-6

Date: Tue, 18 Dec 2007 07:52:53 +0000

Source: phpmyadmin
Source-Version: 4:2.9.1.1-6

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.9.1.1-6.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-6.diff.gz
phpmyadmin_2.9.1.1-6.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-6.dsc
phpmyadmin_2.9.1.1-6_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 446451@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  7 Nov 2007 14:41:34 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.9.1.1-6
Distribution: stable-security
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpmyadmin - Administrate MySQL over the WWW
Closes: 446451
Changes: 
 phpmyadmin (4:2.9.1.1-6) stable-security; urgency=high
 .
   * Update for etch to address a security issue.
   * Cross-site scripting (XSS) vulnerability in scripts/setup.php in
     phpMyAdmin 2.11.1, when accessed by a browser that does not
     URL-encode requests, allows remote attackers to inject arbitrary
     web script or HTML via the query string.
     (CVE-2007-5386, PMASA-2007-5, closes: #446451)
 .
 phpmyadmin (4:2.9.1.1-5) stable-security; urgency=high
 .
   * Update for etch to address a security issue.
   * Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
     2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
     certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
     grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
     common.lib.php in libraries/; and certain input available in PHP_SELF and
     (2) PATH_INFO in libraries/common.inc.php.
     (CVE-2007-5589, PMASA-2007-6)
Files: 
 130531a7ffe3fd67421985abc0d7e3c1 1011 web extra phpmyadmin_2.9.1.1-6.dsc
 0ea3fc9730fb32d1587e0757d3fbee25 49749 web extra phpmyadmin_2.9.1.1-6.diff.gz
 be23322772089af7b429c01b65fe1469 3606276 web extra phpmyadmin_2.9.1.1-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRzHCuGz0hbPcukPfAQJIJAgAinZVcf8SLMIy1ILBbr2EYeuhsOf4eJ1R
5cfdEYjDxDBPtag+WTr0BH3kSuej5iYTCjwh4JxE1z7DtAc5YdDT70XN/iELk6WO
6Usmx8xhC3PtwOxGyjxoAk9yKygshlWk7oRmM6sqMqIYPmzVzAV8W/jpzRadVt7z
1HIAuJGLXc0sjwFCazUVHheaALf/e4vSKcO2EHRVK/+djo5/Ef9RwuffMdr0owFW
QbsO3/ni/VrhNscpfLMhUxdGNd3I1YtDjFcO1vU3Fl4oOSZUksIl3PD7xSue8jEf
SpUaXZ167Edi5A1LEEWUgDefsWTL9MpS+V+ZEcKm3sRJ0wu1+Pk21Q==
=BKhS
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.