Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 250752 - dev-db/phpmyadmin <2.11.9.4 and <3.1.1.0 Cross-Site Request Forgery Vulnerability (CVE-2008-{5621,5622})
Summary: dev-db/phpmyadmin <2.11.9.4 and <3.1.1.0 Cross-Site Request Forgery Vulnerabi...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: B4 [glsa]
Keywords:
: CVE-2008-5621 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-12-12 19:43 UTC by Bruno Buss
Modified: 2009-03-18 22:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Buss 2008-12-12 19:43:35 UTC
Description:
A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter. 

Also from Secunia:
http://secunia.com/Advisories/33076/
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-12 21:13:01 UTC
Thanks for the report.

Web-apps, please bump.
Comment 2 stupendoussteve 2008-12-17 15:20:36 UTC
*** Bug 251281 has been marked as a duplicate of this bug. ***
Comment 3 stupendoussteve 2008-12-17 15:23:11 UTC
This is now assigned CVE-2008-5621 and CVE-2008-5622, if someone would like to update the description and alias. Also, CVE-2008-5621 says it is possible to execute arbitrary code; it may be grounds for changing the severity.


CVE-2008-5621: Cross-site request forgery (CSRF) vulnerability in phpMyAdmin
2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to
perform unauthorized actions as the administrator via a link or IMG tag to
tbl_structure.php with a modified table parameter. NOTE: this can be leveraged
to conduct SQL injection attacks and execute arbitrary code.

CVE-2008-5622: Multiple cross-site request forgery (CSRF) vulnerabilities in
phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allow remote attackers
to conduct SQL injection attacks via unknown vectors related to the table
parameter, a different vector than CVE-2008-5621.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:11:58 UTC
CVE-2008-5621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5621):
  Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x
  before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to
  perform unauthorized actions as the administrator via a link or IMG
  tag to tbl_structure.php with a modified table parameter.  NOTE: this
  can be leveraged to conduct SQL injection attacks and execute
  arbitrary code.

CVE-2008-5622 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5622):
  Multiple cross-site request forgery (CSRF) vulnerabilities in
  phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allow remote
  attackers to conduct SQL injection attacks via unknown vectors
  related to the table parameter, a different vector than CVE-2008-5621.

Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-28 20:52:07 UTC
dev-db/phpmyadmin-{2.11.9.4,3.1.1} are in the tree.

Targets for 2.11.9.4:

  alpha amd64 hppa ppc ppc64 sparc x86
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-29 18:23:50 UTC
ppc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-12-30 15:03:46 UTC
ppc64 done
Comment 8 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-30 20:26:29 UTC
sparc stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-02 00:44:07 UTC
amd64 stable
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-02 10:54:39 UTC
Removing amd64 and adding alpha back to CC. Thanks hparker.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-01-02 18:38:08 UTC
(In reply to comment #5)
> dev-db/phpmyadmin-{2.11.9.4,3.1.1} are in the tree.
> 
> Targets for 2.11.9.4:
> 
>   alpha amd64 hppa ppc ppc64 sparc x86

Please describe stabilisation targets as category/package-version-revision atoms - combining all the pieces is messy and error prone.

Stable for HPPA:
 =dev-db/phpmyadmin-2.11.9.4
Comment 12 Markus Meier gentoo-dev 2009-01-03 20:58:45 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-01-05 17:30:42 UTC
alpha stable
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-05 18:43:04 UTC
GLSA request already in due to bug 237781 and some others.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-18 22:32:20 UTC
GLSA 200903-32