CVE-2007-0204: phpmyadmin: Multiple unspecified

Debian Bug report logs - #406486
CVE-2007-0204: phpmyadmin: Multiple unspecified

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex de Oliveira Silva <enerv@host.sk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-0203: phpmyadmin: Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1

Date: Thu, 11 Jan 2007 11:53:31 -0300

Package: phpmyadmin
Severity: important
Tags: security

Some vulnerabilities have been reported in phpMyAdmin, some of which
have unknown impacts, while some can be exploited by malicious people to
conduct cross-site scripting attacks.

1) Input passed to unspecified parameters is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of
an affected site.

2) Some vulnerabilities exist, which are caused due to unspecified
errors in phpMyAdmin. No further information is currently available.

The vulnerabilities are reported in version 2.9.1.1. Other versions may
also be affected.

Reference: http://secunia.com/advisories/23702

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)

-- 
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `- 

Message #10 received at 406486@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Alex de Oliveira Silva <enerv@host.sk>, 406486@bugs.debian.org

Subject: Re: Bug#406486: CVE-2007-0203: phpmyadmin: Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1

Date: Thu, 11 Jan 2007 20:03:41 +0100

[Message part 1 (text/plain, inline)]

Hi Alex,

On Thu, 2007-01-11 at 11:53 -0300, Alex de Oliveira Silva wrote:
> Some vulnerabilities have been reported in phpMyAdmin, some of which
> have unknown impacts, while some can be exploited by malicious people to
> conduct cross-site scripting attacks.

I appreciate your notification, but howcome you're reporting the exact
same text that you've reported yesterday already?


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 406486@bugs.debian.org (full text, mbox, reply):

From: Alex de Oliveira Silva <enerv@host.sk>

To: 406486@bugs.debian.org

Subject: Correct description

Date: Fri, 12 Jan 2007 11:08:04 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry Thijs.
The correct description is this. :)

Multiple vulnerabilities have been identified in phpMyAdmin, which may
be exploited by attackers to execute arbitrary scripting code. These
issues are due to unspecified input validation errors when processing
certain parameters, which could be exploited by attackers to cause
arbitrary scripting code to be executed by the user's browser in the
security context of an affected Web site.

Affected Products

phpMyAdmin version 2.9.1.1 and prior

Solution

Upgrade to phpMyAdmin version 2.9.2-rc1 :
http://www.phpmyadmin.net/home_page/downloads.php

References

http://www.frsirt.com/english/advisories/2007/0125
http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0


regards,
- --
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFp5ZDarbczl+z12gRAm8+AJ9vvZduaUgL95oRN7IF/0FoySmpCgCgtWeI
U2Wx1h489M766TX8Jvz1prU=
=72Zq
-----END PGP SIGNATURE-----

Message #24 received at 406486@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Alex de Oliveira Silva <enerv@host.sk>, 406486@bugs.debian.org

Cc: team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Reporting useless bugs

Date: Fri, 12 Jan 2007 16:25:07 +0100

[Message part 1 (text/plain, inline)]

Dear members of the security team(s),

On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote:
> Multiple vulnerabilities have been identified in phpMyAdmin, which may
> be exploited by attackers to execute arbitrary scripting code. These
> issues are due to unspecified input validation errors when processing
> certain parameters, which could be exploited by attackers to cause
> arbitrary scripting code to be executed by the user's browser in the
> security context of an affected Web site. 

Have you even read this text?

In recent times, I've been receiving more bug reports against packages I
maintain that are worded like above: they are "unspecified"
vulnerabilities over "unspecified" vectors with "unknown" implications.

Please, I appreciate it when bugs are filed, but what value do
contentless bugs like the one above add? How can they be "important"
when there's no information in them?

How would you as a maintainer respond if I submitted a bug against his
package with the text "there's an unknown bug somewhere in your package
with unknown results"?



thanks,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 406486-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 406486-close@bugs.debian.org

Subject: Bug#406486: fixed in phpmyadmin 4:2.9.1.1-2

Date: Fri, 12 Jan 2007 14:47:04 +0000

Source: phpmyadmin
Source-Version: 4:2.9.1.1-2

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.9.1.1-2.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-2.diff.gz
phpmyadmin_2.9.1.1-2.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-2.dsc
phpmyadmin_2.9.1.1-2_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 406486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 12 Jan 2007 15:29:28 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.9.1.1-2
Distribution: unstable
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpmyadmin - Administrate MySQL over the WWW
Closes: 404744 406332 406486
Changes: 
 phpmyadmin (4:2.9.1.1-2) unstable; urgency=high
 .
   * Backport security-related changes from 2.9.2-rc1:
   * CVE-2007-0203: Multiple unspecified vulnerabilities;
     this turns out to be (1) cross site scripting and
     (2) the same as CVE-2006-6374. (Closes: #406332, #406486)
   * CVE-2006-6374: the vulnerability only applies to
     PHP < 5.1.2 and < 4.4.2, so strictly speaking current
     Debian is not vulnerable. Include it anyway, to not expose
     those using older PHP versions. (Closes: #404744)
Files: 
 32f6ddc7c311cbab842d04a60fe0d804 590 web extra phpmyadmin_2.9.1.1-2.dsc
 09970b6e6ad44e9e9e43705f6cc8ff3c 45083 web extra phpmyadmin_2.9.1.1-2.diff.gz
 472b1e681ecf7013f53fa4fdd5c08abb 3590568 web extra phpmyadmin_2.9.1.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFp5zSJdKMxZV9WM8RAsrtAJ4u9r2Ett84jpPx/4jCt18USuQA9QCfSXqS
igJIGEpS3BNSi1cmoNOSm0E=
=7yUl
-----END PGP SIGNATURE-----

Message #39 received at 406486@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: Alex de Oliveira Silva <enerv@host.sk>, 406486@bugs.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org

Subject: Re: Reporting useless bugs

Date: Fri, 12 Jan 2007 16:45:17 +0100

Thijs Kinkhorst wrote:
> Dear members of the security team(s),
> 
> On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote:
> > Multiple vulnerabilities have been identified in phpMyAdmin, which may
> > be exploited by attackers to execute arbitrary scripting code. These
> > issues are due to unspecified input validation errors when processing
> > certain parameters, which could be exploited by attackers to cause
> > arbitrary scripting code to be executed by the user's browser in the
> > security context of an affected Web site. 
> 
> Have you even read this text?
> 
> In recent times, I've been receiving more bug reports against packages I
> maintain that are worded like above: they are "unspecified"
> vulnerabilities over "unspecified" vectors with "unknown" implications.
> 
> Please, I appreciate it when bugs are filed, but what value do
> contentless bugs like the one above add? How can they be "important"
> when there's no information in them?
> 
> How would you as a maintainer respond if I submitted a bug against his
> package with the text "there's an unknown bug somewhere in your package
> with unknown results"?

You could probably start writing 15k bugs...

Regards,

	Joey

-- 
Beware of bugs in the above code; I have only proved it correct,
not tried it.  -- Donald E. Knuth

Please always Cc to me when replying to me on the lists.

Message #46 received at 406486@bugs.debian.org (full text, mbox, reply):

From: Alex de Oliveira Silva <enerv@host.sk>

To: Martin Schulze <joey@infodrom.org>, 406486@bugs.debian.org

Subject: Re: Bug#406486: Reporting useless bugs

Date: Fri, 12 Jan 2007 14:52:27 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Schulze escreveu:
>
>
> You could probably start writing 15k bugs...
>
> Regards,
>
> Joey
>
I only trying help. Sorry.
In my next bugs, I go wait for more informations.

regards,
- --
   .''`.
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFp8rbarbczl+z12gRAro/AJ4m6StTCqBTExoOS4Kp9XzMhrW1/QCeOHdg
oT/gmMfCT/hn8n/XpmT87vM=
=Vdgh
-----END PGP SIGNATURE-----

Message #51 received at 406486@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Alex de Oliveira Silva <enerv@host.sk>, 406486@bugs.debian.org

Cc: Martin Schulze <joey@infodrom.org>

Subject: Re: Bug#406486: Reporting useless bugs

Date: Sat, 13 Jan 2007 22:45:40 +0100

[Message part 1 (text/plain, inline)]

On Fri, 2007-01-12 at 14:52 -0300, Alex de Oliveira Silva wrote:
> I only trying help. Sorry.

I appreciate your help very much, I think it makes Debian more secure.


Thijs

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.