Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 87952 - dev-db/phpmyadmin: PMASA-2005-3 XSS vulnerability
Summary: dev-db/phpmyadmin: PMASA-2005-3 XSS vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: B4 [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2005-04-04 13:06 UTC by Luke Macken (RETIRED)
Modified: 2005-04-11 12:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
phpMyAdmin 2.6.2-rc1 ebuild patch (phpmyadmin-2.6.2_rc1.ebuild.patch,419 bytes, patch)
2005-04-08 07:55 UTC, Jakub Moc (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2005-04-04 13:06:36 UTC
==========================================================
Title: phpMyAdmin Cross-site Scripting Vulnerability

Application: phpMyAdmin
Vendor: http://www.phpmyadmin.net
Vulnerable Versions: <=2.6.2-beta1
Corrected: phpMyAdmin versions after 2.6.2-beta1
Bug: Cross-site Scripting
Date: 3-Apr-2005

Author: Oriol Torrent Santiago < oriol.torrent@gmail.com >

==========================================================

1) Background
   -----------
 phpMyAdmin is a tool written in PHP intended to handle the administration
 of MySQL over the Web. Currently it can create  and drop databases,
 create/drop/alter tables, delete/edit/add fields, execute any SQL statement,
 manage keys on fields,  manage privileges,export data into various formats
 and is available in 47 languages.


2) Problem description
   --------------------

 phpMyAdmin <=2.6.2-beta1 contain a vulnerability is caused due to
 missing validation of input supplied to "convcharset" variable.

 This can be exploited to execute arbitrary HTML and script code(JavaScript,
 VBScript,etc.) in a user's browser session in context of a vulnerable site.
 It allows an attacker to use the vulnerability to compromise the phpMyAdmin
 account, cookie theft, etc.


 Ex1:
 http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><script>alert(document.cookie)</script>

 Ex2:
 http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><h1>XSS</h1>

3) Solution:
   ---------

 Vendor was contacted on the 29th of March 2005 and new version is released
  
 Download the latest version of phpMyAdmin


4) Timeline
   --------

29/03/2005  Bug discovered
29/03/2005  Vendor notified
29/03/2005  Vendor response and bug fixed
03/04/2005  New version released
03/04/2005  Advisory released
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-04-04 13:09:08 UTC
twp, please bump.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2005-04-08 07:55:51 UTC
Created attachment 55674 [details, diff]
phpMyAdmin 2.6.2-rc1 ebuild patch

Someone please bump. ;-)
Comment 3 Aaron Walker (RETIRED) gentoo-dev 2005-04-08 09:20:26 UTC
> Someone please bump. ;-)
sure.

Stable on x86. CC'd archs please stabilize.
Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-08 10:24:28 UTC
Stable on ppc.
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-08 11:32:48 UTC
Alpha stable.
Comment 6 Guy Martin (RETIRED) gentoo-dev 2005-04-08 12:26:47 UTC
Stable on hppa.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-08 17:55:29 UTC
sparc stable.
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-04-09 04:13:24 UTC
amd64 done
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-04-09 04:56:49 UTC
Security please vote on GLSA need
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-04-10 09:51:54 UTC
We issued a Low GLSA for previous XSS things in phpmyadmin (200411-36), and phpmyadmin team finds the issue serious, so I think we should do one. so YES
Comment 11 Luke Macken (RETIRED) gentoo-dev 2005-04-10 16:15:52 UTC
I vote YES as well.

2 YES votes == A GLSA will be released for this issue.
Comment 12 Luke Macken (RETIRED) gentoo-dev 2005-04-11 12:18:50 UTC
GLSA 200504-08