Announcement-ID: PMASA-2007-3 Date: 2007-03-02 Summary: PHP Executor Deep Recursion Stack Overflow Description: Stefan Esser from the Hardened-PHP Project is publishing the Month of PHP Bugs. One of these PHP bugs can be triggered by phpMyAdmin which uses a recursive function in its normal operation. Severity: We consider this vulnerability to be serious. Affected versions: All versions prior to 2.10.0.2. Solution: Upgrade to phpMyAdmin 2.10.0.2 or newer. Note that upgrading phpMyAdmin does not protect a server against an attacker that targets other vulnerable PHP applications. Patches: Patches are available in this tracker:http://sourceforge.net/tracker/index.php?func=detail&aid=1671813&group_id=23067&atid=377408 Reference: http://www.php-security.org/MOPB/MOPB-02-2007.html For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.
2.10.0.2 is in the tree
Thanks Renat arches please test phpMyAdmin 2.10.0.2 and mark stable if possible
After creating a database: Warning: require_once(./db_details_structure.php) [function.require-once]: failed to open stream: No such file or directory in /var/www/localhost/htdocs/phpmyadmin/db_create.php on line 42 Selecting a database results in a 404, same with tables, access.log: 127.0.0.1 localhost - [05/Mar/2007:21:38:32 +0100] "GET /phpmyadmin/db_details_structure.php?server=1&db=angelos&table=&lang=de-utf-8&collation_connection=utf8_unicode_ci HTTP/1.1" 404 345 "http://localhost/phpmyadmin/navigation.php?token=f9addbcfe4fc8145f643f8aefd391b97" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070303 Firefox/2.0.0.2" 127.0.0.1 localhost - [05/Mar/2007:21:38:33 +0100] "GET /phpmyadmin/tbl_properties_structure.php?db=angelos&token=f9addbcfe4fc8145f643f8aefd391b97&table=users HTTP/1.1" 404 345 "http://localhost/phpmyadmin/navigation.php?server=1&db=angelos&table=&lang=de-utf-8&collation_connection=utf8_unicode_ci" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.2) Gecko/20070303 Firefox/2.0.0.2"
Works for me... x86 stable.
works here, too. ppc64 stable
Hmm, works after unmerging, removing the old phpmyadmin directory and emerging a new, clean version - simply upgrading didn't work
Stable for HPPA (killerfox).
amd64 stable
ppc stable
sparc stable.
Stable on alpha
i don't know how to handle that kind of bugs that seem to belong to PHP rather that to the applications using PHP. Personnally i tend to think that's a PHP vulnerability.
This seems like a PHP vuln to me. Upgrading phpmyadmin is only a workaround for phpmyadmin users.
i fully agree but i don't know in which PHP version this is fixed. BTW i vote NOGLSA since it's a PHP bug
I agree on the NO GLSA part if we'll have a PHP GLSA.
then let's close it as soon as the dependent bug 169372 is glsa-sent
agreed on no glsa and updating status accordingly
Pushing it to enhancement until it can be closed.
so what's the deal here?
Waiting for PHP GLSA to be sent, nothing else I think.
GLSA 200705-19 was issued a few days ago, closing then.
