CVE-2005-3665: Cross-site scripting by trusting potentially user-supplied input.

Debian Bug report logs - #340438
CVE-2005-3665: Cross-site scripting by trusting potentially user-supplied input.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>

To: Undisclosed.Recipients: ;

Cc: submit@bugs.debian.org

Subject: CVE-2005-3665: Cross-site scripting by trusting potentially user-supplied input.

Date: Wed, 23 Nov 2005 14:30:08 +0100

[Message part 1 (text/plain, inline)]

Package: phpmyadmin
Version: 4:2.6.2-3sarge1, 4:2.6.4-pl4-1
Severity: critical

The patch by Martin Schulze in attachment.
-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-

[105.CVE-2005-3665.patch (text/x-diff, attachment)]

Message #12 received at 340438-close@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <dexter@debian.org>

To: 340438-close@bugs.debian.org

Subject: Bug#340438: fixed in phpmyadmin 4:2.6.4-pl4-2

Date: Wed, 23 Nov 2005 07:17:13 -0800

Source: phpmyadmin
Source-Version: 4:2.6.4-pl4-2

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.6.4-pl4-2.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2.diff.gz
phpmyadmin_2.6.4-pl4-2.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2.dsc
phpmyadmin_2.6.4-pl4-2_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340438@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 Nov 2005 14:31:15 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl4-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description: 
 phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 340438
Changes: 
 phpmyadmin (4:2.6.4-pl4-2) unstable; urgency=high
 .
   * Security fix: Cross-site scripting by trusting potentially user-supplied
     input.
     See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3665
     New 200-CVE-2005-3665.patch. Closes: #340438.
Files: 
 f50724af5d1d1a94e4c59cde254bb29d 646 web extra phpmyadmin_2.6.4-pl4-2.dsc
 dee08e0b184a51ddbf56957768ea614d 32276 web extra phpmyadmin_2.6.4-pl4-2.diff.gz
 9c111a6f12bfd7b3dcaba01442714f7c 2900452 web extra phpmyadmin_2.6.4-pl4-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDhHXshMHHe8CxClsRAgG8AJ9NDBKuy4+YxboG+4J3QgYk5PxirACgvKuJ
zMyDIO5g/oE0YohLy6CqYIk=
=+uRG
-----END PGP SIGNATURE-----

Message #17 received at 340438@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 339437@bugs.debian.org, 340438@bugs.debian.org, 362567@bugs.debian.org, 368082@bugs.debian.org

Cc: control@bugs.debian.org, team@security.debian.org

Subject: phpMyAdmin security vulnerabilities for sarge

Date: Thu, 03 Aug 2006 13:22:37 +0200

[Message part 1 (text/plain, inline)]

close 360726 4:2.6.2-3sarge1
thanks

Hello All,

I've checked out all open CVE's with respect to sarge. All are already
fixed in sid. I've prepared a package that fixes the ones that are
relevant. See the breakdown here:

> CVE-2005-3621   CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows ...

Vulnerable, fixed in update.

> CVE-2005-3665   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

Vulnerable, fixed in update.

> CVE-2005-3787   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

This was all already fixed in 4:2.6.2-3sarge1.

> CVE-2006-1258   Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows ...

Code not present in sarge - can be marked as not vulnerable.

> CVE-2006-1678   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

Vulnerable, fixed in update.

> CVE-2006-1803   Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin ...

Can not reproduce and in suggested to be a false duplicate of
CVE-2006-1804. I'm considering this one to be not vulnerable in sarge.

> CVE-2006-1804   XSRF SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows ...

Our sarge version doesn't have the whole XSRF-countering-mechanism so
this requires major code overhauls to address. XSRF is very common in
webapps and not easily fixed; it's doubtful if it's at all fixable.

> CVE-2006-2031   Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin ...

Not vulnerable, code not present in sarge.

> CVE-2006-2417   Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before ...

Not vulnerable, code not present in sarge.

> CVE-2006-2418   Cross-site scripting (XSS) vulnerabilities in certain versions of ...

Vulnerable, fixed in update.

> CVE-2006-3388   Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 ...

Not vulnerable, code not present in sarge.

I've prepared an updated package, it can be found here:
http://www.a-eskwadraat.nl/~kink/debian/

Please let me know if it's ok and I'll upload it to the security
archive.


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 340438@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Thijs Kinkhorst <thijs@debian.org>

Cc: 339437@bugs.debian.org, 340438@bugs.debian.org, 362567@bugs.debian.org, 368082@bugs.debian.org, team@security.debian.org

Subject: Re: phpMyAdmin security vulnerabilities for sarge

Date: Mon, 7 Aug 2006 20:48:12 +0200

On Thu, Aug 03, 2006 at 01:22:37PM +0200, Thijs Kinkhorst wrote:
> close 360726 4:2.6.2-3sarge1
> thanks
> 
> Hello All,
> 
> I've checked out all open CVE's with respect to sarge. All are already
> fixed in sid. I've prepared a package that fixes the ones that are
> relevant. See the breakdown here:

Thanks a lot for your work.

> I've prepared an updated package, it can be found here:
> http://www.a-eskwadraat.nl/~kink/debian/
> 
> Please let me know if it's ok and I'll upload it to the security
> archive.

Please
- drop all po i18n updates
- fix indendation of the phpmyadmin-2.6.2/libraries/header_http.inc.php changes
  for CVE-2005-3621
- raise the version number to sarge3, we have an unsuitable sarge2 in the
  security queue (you couldn't know that and I forgot to tell you in advance,
  sorry)

The security fixes look all good.

Cheers,
        Moritz

Send a report that this bug log contains spam.