Debian Bug report logs -
#406486
CVE-2007-0204: phpmyadmin: Multiple unspecified
Reported by: Alex de Oliveira Silva <enerv@host.sk>
Date: Thu, 11 Jan 2007 15:48:02 UTC
Severity: important
Tags: security
Merged with 406332
Found in version phpmyadmin/4:2.9.1.1-1
Fixed in version phpmyadmin/4:2.9.1.1-2
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#406486
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Alex de Oliveira Silva <enerv@host.sk>
:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpmyadmin
Severity: important
Tags: security
Some vulnerabilities have been reported in phpMyAdmin, some of which
have unknown impacts, while some can be exploited by malicious people to
conduct cross-site scripting attacks.
1) Input passed to unspecified parameters is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of
an affected site.
2) Some vulnerabilities exist, which are caused due to unspecified
errors in phpMyAdmin. No further information is currently available.
The vulnerabilities are reported in version 2.9.1.1. Other versions may
also be affected.
Reference: http://secunia.com/advisories/23702
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
--
.''`.
: :' : Alex de Oliveira Silva | enerv
`. `' www.enerv.net
`-
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#406486
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 406486@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Alex,
On Thu, 2007-01-11 at 11:53 -0300, Alex de Oliveira Silva wrote:
> Some vulnerabilities have been reported in phpMyAdmin, some of which
> have unknown impacts, while some can be exploited by malicious people to
> conduct cross-site scripting attacks.
I appreciate your notification, but howcome you're reporting the exact
same text that you've reported yesterday already?
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#406486
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Alex de Oliveira Silva <enerv@host.sk>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(full text, mbox, link).
Message #17 received at 406486@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry Thijs.
The correct description is this. :)
Multiple vulnerabilities have been identified in phpMyAdmin, which may
be exploited by attackers to execute arbitrary scripting code. These
issues are due to unspecified input validation errors when processing
certain parameters, which could be exploited by attackers to cause
arbitrary scripting code to be executed by the user's browser in the
security context of an affected Web site.
Affected Products
phpMyAdmin version 2.9.1.1 and prior
Solution
Upgrade to phpMyAdmin version 2.9.2-rc1 :
http://www.phpmyadmin.net/home_page/downloads.php
References
http://www.frsirt.com/english/advisories/2007/0125
http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
regards,
- --
.''`.
: :' : Alex de Oliveira Silva | enerv
`. `' www.enerv.net
`-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFp5ZDarbczl+z12gRAm8+AJ9vvZduaUgL95oRN7IF/0FoySmpCgCgtWeI
U2Wx1h489M766TX8Jvz1prU=
=72Zq
-----END PGP SIGNATURE-----
Changed Bug title.
Request was from Alex de Oliveira Silva <enerv@host.sk>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#406486
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #24 received at 406486@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear members of the security team(s),
On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote:
> Multiple vulnerabilities have been identified in phpMyAdmin, which may
> be exploited by attackers to execute arbitrary scripting code. These
> issues are due to unspecified input validation errors when processing
> certain parameters, which could be exploited by attackers to cause
> arbitrary scripting code to be executed by the user's browser in the
> security context of an affected Web site.
Have you even read this text?
In recent times, I've been receiving more bug reports against packages I
maintain that are worded like above: they are "unspecified"
vulnerabilities over "unspecified" vectors with "unknown" implications.
Please, I appreciate it when bugs are filed, but what value do
contentless bugs like the one above add? How can they be "important"
when there's no information in them?
How would you as a maintainer respond if I submitted a bug against his
package with the text "there's an unknown bug somewhere in your package
with unknown results"?
thanks,
Thijs
[signature.asc (application/pgp-signature, inline)]
Reply sent to Thijs Kinkhorst <thijs@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alex de Oliveira Silva <enerv@host.sk>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #29 received at 406486-close@bugs.debian.org (full text, mbox, reply):
Source: phpmyadmin
Source-Version: 4:2.9.1.1-2
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.9.1.1-2.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-2.diff.gz
phpmyadmin_2.9.1.1-2.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-2.dsc
phpmyadmin_2.9.1.1-2_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 406486@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 12 Jan 2007 15:29:28 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.9.1.1-2
Distribution: unstable
Urgency: high
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
phpmyadmin - Administrate MySQL over the WWW
Closes: 404744 406332 406486
Changes:
phpmyadmin (4:2.9.1.1-2) unstable; urgency=high
.
* Backport security-related changes from 2.9.2-rc1:
* CVE-2007-0203: Multiple unspecified vulnerabilities;
this turns out to be (1) cross site scripting and
(2) the same as CVE-2006-6374. (Closes: #406332, #406486)
* CVE-2006-6374: the vulnerability only applies to
PHP < 5.1.2 and < 4.4.2, so strictly speaking current
Debian is not vulnerable. Include it anyway, to not expose
those using older PHP versions. (Closes: #404744)
Files:
32f6ddc7c311cbab842d04a60fe0d804 590 web extra phpmyadmin_2.9.1.1-2.dsc
09970b6e6ad44e9e9e43705f6cc8ff3c 45083 web extra phpmyadmin_2.9.1.1-2.diff.gz
472b1e681ecf7013f53fa4fdd5c08abb 3590568 web extra phpmyadmin_2.9.1.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFp5zSJdKMxZV9WM8RAsrtAJ4u9r2Ett84jpPx/4jCt18USuQA9QCfSXqS
igJIGEpS3BNSi1cmoNOSm0E=
=7yUl
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Alex de Oliveira Silva <enerv@host.sk>
:
Bug acknowledged by developer.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#406486
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(full text, mbox, link).
Message #39 received at 406486@bugs.debian.org (full text, mbox, reply):
Thijs Kinkhorst wrote:
> Dear members of the security team(s),
>
> On Fri, 2007-01-12 at 11:08 -0300, Alex de Oliveira Silva wrote:
> > Multiple vulnerabilities have been identified in phpMyAdmin, which may
> > be exploited by attackers to execute arbitrary scripting code. These
> > issues are due to unspecified input validation errors when processing
> > certain parameters, which could be exploited by attackers to cause
> > arbitrary scripting code to be executed by the user's browser in the
> > security context of an affected Web site.
>
> Have you even read this text?
>
> In recent times, I've been receiving more bug reports against packages I
> maintain that are worded like above: they are "unspecified"
> vulnerabilities over "unspecified" vectors with "unknown" implications.
>
> Please, I appreciate it when bugs are filed, but what value do
> contentless bugs like the one above add? How can they be "important"
> when there's no information in them?
>
> How would you as a maintainer respond if I submitted a bug against his
> package with the text "there's an unknown bug somewhere in your package
> with unknown results"?
You could probably start writing 15k bugs...
Regards,
Joey
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald E. Knuth
Please always Cc to me when replying to me on the lists.
Changed Bug title.
Request was from Alex de Oliveira Silva <enerv@host.sk>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#406486
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Alex de Oliveira Silva <enerv@host.sk>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(full text, mbox, link).
Message #46 received at 406486@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Schulze escreveu:
>
>
> You could probably start writing 15k bugs...
>
> Regards,
>
> Joey
>
I only trying help. Sorry.
In my next bugs, I go wait for more informations.
regards,
- --
.''`.
: :' : Alex de Oliveira Silva | enerv
`. `' www.enerv.net
`-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFp8rbarbczl+z12gRAro/AJ4m6StTCqBTExoOS4Kp9XzMhrW1/QCeOHdg
oT/gmMfCT/hn8n/XpmT87vM=
=Vdgh
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#406486
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #51 received at 406486@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, 2007-01-12 at 14:52 -0300, Alex de Oliveira Silva wrote:
> I only trying help. Sorry.
I appreciate your help very much, I think it makes Debian more secure.
Thijs
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 03:38:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:42:31 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.