196237 2007-10-18 01:40 0000 dev-db/phpmyadmin < 2.11.1.2 "server_status.php" Cross-Site Scripting (CVE-2007-5589) 2007-10-25 18:50:48 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html B4 [noglsa] P2 minor --- 195707 1 che_guevara_3@bk.ru security@gentoo.org boss.gentoo@bosso.org mysql-bugs@gentoo.org che_guevara_3@bk.ru 2007-10-18 01:40:07 0000 2.11.1.2 is now released to fix this vulnerability and some other bugs. More information about the problem at http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html The exact fix: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/server_status.php?r1=10704&r2=10797&view=patch Reproducible: Always Steps to Reproduce: che_guevara_3@bk.ru 2007-10-18 01:49:31 0000 Sorry for the noise, but to correct myself, it wasn't only server_status.php that the phpMyAdmin team fixed up, it was some other files as you can see at http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=10796 Added mysql and webapp to CC wrobel@gentoo.org 2007-10-18 05:13:26 0000 Phew... phpmyadmin-2.11.1.2 in CVS You know the drill... Targets: alpha amd64 hppa ppc ppc64 sparc x86 jer@gentoo.org 2007-10-18 16:53:59 0000 Stable for HPPA. dertobi123@gentoo.org 2007-10-18 17:21:10 0000 ppc stable corsair@gentoo.org 2007-10-18 18:01:29 0000 ppc64 stable jurek@gentoo.org 2007-10-20 22:15:33 0000 x86 stable rbu@gentoo.org 2007-10-20 23:58:52 0000 CVE-2007-5589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5589): Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI. beandog@gentoo.org 2007-10-21 15:27:06 0000 amd64 stable jmbsvicetto@gentoo.org 2007-10-21 23:08:01 0000 dev-db/phpmyadmin-2.11.1.2 1. Emerges on SPARC64. 2. No collisions. 3. Package includes no tests 4. After struggling with the package for a long time to get the config working, the file must be on /var/www/<hostname>/htdocs/phpmyadmin/config.inc.php and not .../phpmyadmin/config/config.inc.php, it worked fine. I've created a few tables, through the wizard and with sql commands, changed column definitions searched for data, browsed the tables and dropped a table. emerge --info: Portage 2.1.3.9 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.17-gentoo-r8 sparc64) ================================================================= System uname: 2.6.17-gentoo-r8 sparc64 sun4u Timestamp of tree: Sat, 20 Oct 2007 11:50:01 +0000 app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r5 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.7.9-r1, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="sparc" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-O2 -mcpu=ultrasparc3 -pipe" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -mcpu=ultrasparc3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protection distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.gentoo-pt.org/pub/gentoo ftp://mirrors1.netvisao.pt/gentoo/ http://trumpetti.tut.atm.fi/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://atl64.acores.pt/gentoo-portage" USE="bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog midi mudflap nls nptl nptlonly openmp pam pcre ppds pppd reflection session sparc spl tcpd test truetype-fonts type1-fonts unicode vhosts xorg" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint mach64 mga r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx v4l voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS yoswink@gentoo.org 2007-10-24 08:22:07 0000 Stable on sparc. In alpha we are having some weird problems with mysql, so please give as a couple of days to see if can fix them first. Drop me a comment if this bug is *really* urgent. yoswink@gentoo.org 2007-10-24 18:05:56 0000 Stable in alpha. Our problem with mysql seems to be kernel related so phpmyadmin doesn't have anything to do with it. Sorry for the delay. @security: we are the last arch, ready for you. rbu@gentoo.org 2007-10-24 22:25:32 0000 Welcome to the polling booth - It's a vote! jaervosz@gentoo.org 2007-10-25 06:35:24 0000 Oh, a vote here as well:) I tend to vote YES. wrobel@gentoo.org 2007-10-25 06:58:02 0000 The insecure versions were removed from the tree. webapps is done here. py@gentoo.org 2007-10-25 07:39:25 0000 (In reply to comment #13) > Oh, a vote here as well:) I tend to vote YES. > Huh? yes for a simple xss? Is there a specific reason? We got at least one vuln like this every week on a random web-app, and generally speaking we don't release glsas for just an xss... So voting NO unless you explain me why we should have a glsa for that :) jaervosz@gentoo.org 2007-10-25 18:50:48 0000 I just had to be a bit positive:) Everyone here in .dk tend to vote NO whenever they get the chance and without any specific reason. TBH you're absolutely correct so I'm reversing to full NO and closing.