Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 83190 - dev-db/phpmyadmin: Local File Inclusion and Cross-Site Scripting
Summary: dev-db/phpmyadmin: Local File Inclusion and Cross-Site Scripting
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa] jaervosz
Keywords:
: 83590 (view as bug list)
Depends on: 83792
Blocks:
  Show dependency tree
 
Reported: 2005-02-24 07:22 UTC by Aarni Honka
Modified: 2005-06-26 05:59 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aarni Honka 2005-02-24 07:22:51 UTC
TITLE:
phpMyAdmin Local File Inclusion and Cross-Site Scripting

SECUNIA ADVISORY ID:
SA14382

VERIFY ADVISORY:
http://secunia.com/advisories/14382/

CRITICAL:
Moderately critical

IMPACT:
Cross Site Scripting, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
phpMyAdmin 2.x
http://secunia.com/product/1720/
phpMyAdmin 1.x
http://secunia.com/product/1719/

DESCRIPTION:
Maksymilian Arciemowicz has reported some vulnerabilities in
phpMyAdmin, which can be exploited by malicious people to conduct
cross-site scripting attacks and disclose sensitive information.

1) Input passed to the "strServer", "cfg[BgcolorOne]", and
"strServerChoice" parameters in "select_server.lib.php", the
"bgcolor" and "row_no" parameters in "display_tbl_links.lib.php", the
"left_font_family" parameter in "theme_left.css.php", and the
"right_font_family" parameter in "theme_right.css.php" is not
properly sanitised before being returned to users. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

Successful exploitation requires that "register_globals" is enabled.

2) Input passed to the "GLOBALS[cfg][ThemePath]" parameter in
"phpmyadmin.css.php" and "cfg[Server][extension]" parameter in
"database_interface.lib.php" is not properly verified before being
used to include files. This can be exploited to include arbitrary
files from local resources.

Successful exploitation requires that "register_globals" is enabled
and that "magic_quotes_gpc" is disabled.

The vulnerabilities have been reported in version 2.6.1. Other
versions may also be affected.

It is also possible to disclose the full path to certain scripts by
accessing them directly.

SOLUTION:
Update to version 2.6.1-pl1.
http://sourceforge.net/project/showfiles.php?group_id=23067

PROVIDED AND/OR DISCOVERED BY:
Maksymilian Arciemowicz

ORIGINAL ADVISORY:
http://sourceforge.net/tracker/index.php?func=detail&aid=1149383&group_id=23067&atid=377408
http://sourceforge.net/tracker/index.php?func=detail&aid=1149381&group_id=23067&atid=377408
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-02-24 08:40:54 UTC
twp, please bump.
Comment 2 Andreas Korthaus 2005-02-24 18:00:35 UTC
"phpMyAdmin 2.6.1-pl2 is released

We are sorry to report that the release of 2.6.1-pl1 introduced an instability, producing various problems. This has been fixed, and here is 2.6.1-pl2." 

http://www.phpmyadmin.net/home_page/
Comment 3 Martin Holzer (RETIRED) gentoo-dev 2005-02-27 02:59:24 UTC
2.6.1-pl2 is in cvs now
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-27 06:51:40 UTC
arches, pls test and mark phpmyadmin-2.6.1_p2 stable

current KEYWORDS="~alpha ~ppc ~hppa ~sparc ~x86 ~amd64 ~mips"
target KEYWORDS="alpha ppc hppa sparc x86 amd64 ~mips"

_____

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-2
Comment 5 Jason Wever (RETIRED) gentoo-dev 2005-02-27 09:34:35 UTC
Stable on sparc.
Comment 6 Olivier Crete (RETIRED) gentoo-dev 2005-02-28 13:06:26 UTC
x86 stable
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-28 13:32:05 UTC
Stable on ppc.
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-02-28 13:56:53 UTC
amd64 done
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 03:09:56 UTC
*** Bug 83590 has been marked as a duplicate of this bug. ***
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-01 10:24:30 UTC
Stable on alpha.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 10:31:20 UTC
GLSA vote please
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-01 11:52:49 UTC
I vote YES. We already released a GLSA 200411-36 for a similar issue.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 01:32:42 UTC
OK I agree, GLSA there will be
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 13:37:19 UTC
Apparently this allows remote PHP file inclusion on some setups.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-03-03 14:26:47 UTC
GLSA 200503-07
Comment 16 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:59:25 UTC
ebuild no longer in portage.