Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 104124 - dev-db/phpmyadmin: 2 XSS issues
Summary: dev-db/phpmyadmin: 2 XSS issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/d...
Whiteboard: B4 [noglsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-29 05:19 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-08-31 00:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-29 05:19:55 UTC
XSS on table creation page 
XSS on the cookie-based login panel
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-29 05:57:59 UTC
web-apps team, please provide an fixed ebuild, thanks.
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2005-08-29 08:08:46 UTC
I committed 2.6.4_rc1 last night
Comment 3 Jean-François Brunette (RETIRED) gentoo-dev 2005-08-29 09:37:42 UTC
Arches, please test and mark stable
Comment 4 Renat Lumpau (RETIRED) gentoo-dev 2005-08-29 09:59:59 UTC
stable on x86
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-29 10:58:50 UTC
sparc stable.
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-29 13:08:28 UTC
Stable on ppc and hppa.
Comment 7 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-08-29 13:28:25 UTC
Stable on amd64. 
Comment 8 Chris Russell (RETIRED) gentoo-dev 2005-08-30 03:47:59 UTC
this was odd, the post-install instructions issued after the upgrade had the old
version listed, not the new one... (see below)
I ran "# mysql -u root -p <
/usr/share/webapps/phpmyadmin/2.6.4_rc1/sqlscripts/mysql/2.6.4_rc1_create.sql"
manually but the less observant might miss it.




# webapp-config -U -h localhost -d phpmyadmin phpmyadmin 2.6.4_rc1
 * Upgrading phpmyadmin-2.6.2-r2 to phpmyadmin-2.6.4_rc1
 *   Installed by root on 2005-05-07 14:36:09
 *   Config files owned by root:root

 *   Creating required directories
 *   Linking in required files
 *     This can take several minutes for larger apps
--- cfgpro file config.inc.php
^o^ hiding ./._cfg0000_config.inc.php
 *   Files and directories installed

 * One or more files have been config protected
 * To complete your install, you need to run this command:
 * 
 *   CONFIG_PROTECT="/var/www/localhost/htdocs/phpmyadmin" etc-update

 * Install completed - success
 * Removing old version phpmyadmin-2.6.2-r2
--- cfgpro file config.inc.php
<snipped>
 * Remove whatever is listed above by hand

=================================================================
POST-INSTALL INSTRUCTIONS
=================================================================

To complete installation, you must

1. Update MySQL's grant tables and the pmadb database:
     mysql -u root -p <
/usr/share/webapps/phpmyadmin/2.6.2-r2/sqlscripts/mysql/2.6.2-r2_create.sql

If <snip>
Comment 9 Renat Lumpau (RETIRED) gentoo-dev 2005-08-30 05:46:09 UTC
See bug #98142
Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-30 12:19:55 UTC
2.6.4_rc1 stable on alpha. 

Sorry about the delay :)
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-30 12:29:28 UTC
This one is ready for GLSA vote, I tend to vote NO. 
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-30 19:57:12 UTC
i'd say no, too
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-08-31 00:26:18 UTC
I agree it's lame (XSS on a typically Intranet/admin tool), but we did GLSAs for
this in the past (see GLSA 200504-08), so I'll play the devil's advocate and
vote YES :) 

[that said, the phpmyadmin folks didn't even issue an advisory about this one]
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-08-31 00:31:28 UTC
I don't know if I count as anything here, but as part of web-apps, and one of 
the upstream authors, I'd like to vote no.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-31 00:48:32 UTC
Voting full NO and Closing. Feel free to reopen if you disagree.