Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195707 - dev-db/phpmyadmin < 2.11.1.1 "setup.php" Cross-Site Scripting Vulnerability (CVE-2007-5386)
Summary: dev-db/phpmyadmin < 2.11.1.1 "setup.php" Cross-Site Scripting Vulnerability (...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27173/
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 195843 196237
Blocks:
  Show dependency tree
 
Reported: 2007-10-13 15:37 UTC by Tobias Heinlein (RETIRED)
Modified: 2007-10-25 18:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-13 15:37:37 UTC
Omer Singer has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the user is running a browser that has not URL-encoded the request (e.g. Internet Explorer 6).

The vulnerability is reported in version 2.11.1. Other versions may also be affected.

Solution:
Fixed in the SVN repository.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-10-13 15:40:26 UTC
Maintainers, please provide an updated ebuild.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-14 06:32:19 UTC
phpmyadmin-2.11.1 is in the tree including the patch for the issue.

Target archs: alpha amd64 hppa ppc ppc64 sparc x86
Comment 3 Dawid Węgliński (RETIRED) gentoo-dev 2007-10-14 12:06:10 UTC
Stable on x86
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-10-14 14:15:43 UTC
Err, wait, the thing is borked (Bug 195843).
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-14 18:26:23 UTC
I reverted stable x86 KEYWORD back to ~x86
Comment 6 ScytheMan 2007-10-14 20:06:13 UTC
with this bug, this one  http://bugs.gentoo.org/show_bug.cgi?id=183114 should be redundant?

Comment 7 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-15 04:56:40 UTC
Hrm bug #195843 is nothing I can do much about at the moment. I checked the code but it seems to be an upstream issue. 

I inquired at their forum:

http://sourceforge.net/forum/message.php?msg_id=4568637

To be honest this just looks like sloppy programming since its a php warning.
Comment 8 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-15 04:57:17 UTC
(In reply to comment #6)
> with this bug, this one  http://bugs.gentoo.org/show_bug.cgi?id=183114 should
> be redundant?
> 

in principle yes, but lets see how this progresses first.
Comment 9 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-15 07:56:28 UTC
Hm bug #195843 got closed again. Security please advise: Should we continue stabilization or wait one week to see if there are further reports? I tend to waiting since it's XSS but on the other hand the app is stable on many archs.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-10-15 22:49:44 UTC
(In reply to comment #9)
> Hm bug #195843 got closed again. Security please advise: Should we continue
> stabilization or wait one week to see if there are further reports? I tend to
> waiting since it's XSS but on the other hand the app is stable on many archs.

2.11.1.1 was released today, including the security fix. If the source is identical to our release plus patch, we can stable that. Otherwise, we should just bump it to the latest release.
Since no one was able to reproduce this issue anymore, it might be related to outdated caches?

Upstream advisory:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5
Comment 11 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-16 08:00:26 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > Hm bug #195843 got closed again. Security please advise: Should we continue
> > stabilization or wait one week to see if there are further reports? I tend to
> > waiting since it's XSS but on the other hand the app is stable on many archs.
> 
> 2.11.1.1 was released today, including the security fix. If the source is
> identical to our release plus patch, we can stable that. Otherwise, we should
> just bump it to the latest release.

Bumped it even though 2.11.1.1 probably does not contain more than the fix. In any case I think it will be less confusing to the user if we release 2.11.1.1

Please mark the new version stable then. 

> Since no one was able to reproduce this issue anymore, it might be related to
> outdated caches?
> 
> Upstream advisory:
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5
> 

Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-10-16 11:03:50 UTC
Arches, please test and mark stable dev-db/phpmyadmin-2.11.1.1
Target keywords are: "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-10-16 14:44:54 UTC
ppc64 stable
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-16 15:23:08 UTC
Stable for HPPA.
Comment 15 Dawid Węgliński (RETIRED) gentoo-dev 2007-10-16 20:16:34 UTC
Finally stable on x86 ;)
Comment 16 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-18 05:16:26 UTC
phpmyadmin managed to release a second sec fix. So forget about 2.11.1.1 and move to 2.11.1.2 (bug #196237).

Removing all arches that need to mark 2.11.1.2 stable and webapps here. Leaving open for security since I don't know if there is anything left you still have to do.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-22 20:24:01 UTC
non-persistent XSS. Only vulnerable with IE6 and not in its default conf. I vote noglsa.
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-22 20:40:53 UTC
Voting NO.

This one should be closed as soon as alpha and sparc stable 2.11.1.2
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-25 18:51:33 UTC
This one can be closed now as well.