Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 263711 (CVE-2009-1148) - <dev-db/phpmyadmin-{2.11.9.5, 3.2.0}: Multiple vulnerabilities (CVE-2009-{1148,1149,1150,1151})
Summary: <dev-db/phpmyadmin-{2.11.9.5, 3.2.0}: Multiple vulnerabilities (CVE-2009-{114...
Status: RESOLVED FIXED
Alias: CVE-2009-1148
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/mailarchive/fo...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-25 10:23 UTC by Alex Legler (RETIRED)
Modified: 2009-07-10 13:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Updated phpmyadmin-2.11.9.5 ebuild (phpmyadmin-2.11.9.5.ebuild,1.60 KB, text/plain)
2009-03-27 20:00 UTC, Chris Frage
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-25 10:23:24 UTC
PMASA-2009-1 (version 3 only)
HTTP Response Splitting and file inclusion vulnerability

Description:
The BLOB streaming feature allowed attacker to include arbitrary files and inject HTTP headers using crafted URL parameters. 

PMASA-2009-2 (version 2 and 3)
Cross-site scripting on export page using cookies

Description:
Export page uses cookies to remember user settings of file name template. These cookies could be used for cross-site scripting because they were not sanitized sufficiently.
 
PMASA-2009-3 (version 2 and 3)
Insufficient output sanitizing when generating configuration file

Description:
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-26 17:47:53 UTC
CVE-2009-1148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1148):
  Directory traversal vulnerability in bs_disp_as_mime_type.php in the
  BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote
  attackers to read arbitrary files via directory traversal sequences
  in the file_path parameter ($filename variable).

CVE-2009-1149 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1149):
  CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB
  streaming feature in phpMyAdmin before 3.1.3.1 allows remote
  attackers to inject arbitrary HTTP headers and conduct HTTP response
  splitting attacks via the (1) c_type and possibly (2) file_type
  parameters.

CVE-2009-1150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1150):
  Multiple cross-site scripting (XSS) vulnerabilities in the export
  page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5
  and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web
  script or HTML via the pma_db_filename_template cookie.

CVE-2009-1151 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1151):
  Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x
  before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to
  inject arbitrary PHP code into a configuration file via the save
  action.

Comment 2 Chris Frage 2009-03-27 20:00:56 UTC
Created attachment 186477 [details]
Updated phpmyadmin-2.11.9.5 ebuild
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2009-03-31 13:09:57 UTC
(In reply to comment #2)
> Created an attachment (id=186477) [edit]
> Updated phpmyadmin-2.11.9.5 ebuild
> 

We much appreciate your effort, but attaching an ebuild when there's no real change since the last version in the tree is confusing. Please just state "Bumping the old ebuild works" or attach a unified diff of the necessary changes.

web-apps, please bump.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-19 14:40:36 UTC
Arches, please test and mark stable:
=dev-db/phpmyadmin-2.11.9.5
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"


+*phpmyadmin-3.2.0 (19 Jun 2009)
+*phpmyadmin-2.11.9.5 (19 Jun 2009)
+
+  19 Jun 2009; Alex Legler <a3li@gentoo.org> +phpmyadmin-2.11.9.5.ebuild,
+  -phpmyadmin-3.1.2.ebuild, +phpmyadmin-3.2.0.ebuild:
+  Non-maintainer commit: Version bump, security bugs 263711 and 266438, bump
+  request 270877.
+

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-19 23:18:10 UTC
Stable for HPPA.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-20 13:43:55 UTC
Fixing the rating. Arches, your karma will increase a lot if you stable this quickly. ;)
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-20 14:15:07 UTC
am64 stable.
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-06-21 14:01:44 UTC
ppc64 done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-06-21 14:09:52 UTC
ppc done
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-25 14:12:03 UTC
x86 stable, closing
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-25 14:44:33 UTC
GLSA time first.
Comment 12 Tobias Klausmann (RETIRED) gentoo-dev 2009-06-26 19:34:30 UTC
Stable on alpha.
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-29 22:40:05 UTC
GLSA 200906-03
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-07-02 14:45:07 UTC
This bug has not finished [stable] stage when it entered [glsa]. sparc is missing.

sparc, please stable =dev-db/phpmyadmin-2.11.9.5
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2009-07-06 17:54:50 UTC
sparc stable