Bug 195707 - dev-db/phpmyadmin < 2.11.1.1 "setup.php" Cross-Site Scripting Vulnerability (CVE-2007-5386)
Bug#: 195707 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: keytoaster@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/27173/
Summary: dev-db/phpmyadmin < 2.11.1.1 "setup.php" Cross-Site Scripting Vulnerability (CVE-2007-5386)
Keywords:  
Status Whiteboard: B4 [noglsa]
Opened: 2007-10-13 15:37 0000
Description:   Opened: 2007-10-13 15:37 0000 
Omer Singer has reported a vulnerability in phpMyAdmin, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Input passed via the URL is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

Successful exploitation requires that the user is running a browser that has
not URL-encoded the request (e.g. Internet Explorer 6).

The vulnerability is reported in version 2.11.1. Other versions may also be
affected.

Solution:
Fixed in the SVN repository.

------- Comment #1 From Tobias Heinlein 2007-10-13 15:40:26 0000 ------- 
Maintainers, please provide an updated ebuild.

------- Comment #2 From Gunnar Wrobel 2007-10-14 06:32:19 0000 ------- 
phpmyadmin-2.11.1 is in the tree including the patch for the issue.

Target archs: alpha amd64 hppa ppc ppc64 sparc x86

------- Comment #3 From Dawid Węgliński 2007-10-14 12:06:10 0000 ------- 
Stable on x86

------- Comment #4 From Jakub Moc (RETIRED) 2007-10-14 14:15:43 0000 ------- 
Err, wait, the thing is borked (Bug 195843).

------- Comment #5 From Christian Faulhammer 2007-10-14 18:26:23 0000 ------- 
I reverted stable x86 KEYWORD back to ~x86

------- Comment #6 From ScytheMan 2007-10-14 20:06:13 0000 ------- 
with this bug, this one  http://bugs.gentoo.org/show_bug.cgi?id=183114 should
be redundant?

------- Comment #7 From Gunnar Wrobel 2007-10-15 04:56:40 0000 ------- 
Hrm bug #195843 is nothing I can do much about at the moment. I checked the
code but it seems to be an upstream issue. 

I inquired at their forum:

http://sourceforge.net/forum/message.php?msg_id=4568637

To be honest this just looks like sloppy programming since its a php warning.

------- Comment #8 From Gunnar Wrobel 2007-10-15 04:57:17 0000 ------- 
(In reply to comment #6)
> with this bug, this one  http://bugs.gentoo.org/show_bug.cgi?id=183114 should
> be redundant?
> 

in principle yes, but lets see how this progresses first.

------- Comment #9 From Gunnar Wrobel 2007-10-15 07:56:28 0000 ------- 
Hm bug #195843 got closed again. Security please advise: Should we continue
stabilization or wait one week to see if there are further reports? I tend to
waiting since it's XSS but on the other hand the app is stable on many archs.

------- Comment #10 From Robert Buchholz 2007-10-15 22:49:44 0000 ------- 
(In reply to comment #9)
> Hm bug #195843 got closed again. Security please advise: Should we continue
> stabilization or wait one week to see if there are further reports? I tend to
> waiting since it's XSS but on the other hand the app is stable on many archs.

2.11.1.1 was released today, including the security fix. If the source is
identical to our release plus patch, we can stable that. Otherwise, we should
just bump it to the latest release.
Since no one was able to reproduce this issue anymore, it might be related to
outdated caches?

Upstream advisory:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5

------- Comment #11 From Gunnar Wrobel 2007-10-16 08:00:26 0000 ------- 
(In reply to comment #10)
> (In reply to comment #9)
> > Hm bug #195843 got closed again. Security please advise: Should we continue
> > stabilization or wait one week to see if there are further reports? I tend to
> > waiting since it's XSS but on the other hand the app is stable on many archs.
> 
> 2.11.1.1 was released today, including the security fix. If the source is
> identical to our release plus patch, we can stable that. Otherwise, we should
> just bump it to the latest release.

Bumped it even though 2.11.1.1 probably does not contain more than the fix. In
any case I think it will be less confusing to the user if we release 2.11.1.1

Please mark the new version stable then. 

> Since no one was able to reproduce this issue anymore, it might be related to
> outdated caches?
> 
> Upstream advisory:
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5
>

------- Comment #12 From Robert Buchholz 2007-10-16 11:03:50 0000 ------- 
Arches, please test and mark stable dev-db/phpmyadmin-2.11.1.1
Target keywords are: "alpha amd64 hppa ppc ppc64 sparc x86"

------- Comment #13 From Markus Rothe 2007-10-16 14:44:54 0000 ------- 
ppc64 stable

------- Comment #14 From Jeroen Roovers 2007-10-16 15:23:08 0000 ------- 
Stable for HPPA.

------- Comment #15 From Dawid Węgliński 2007-10-16 20:16:34 0000 ------- 
Finally stable on x86 ;)

------- Comment #16 From Gunnar Wrobel 2007-10-18 05:16:26 0000 ------- 
phpmyadmin managed to release a second sec fix. So forget about 2.11.1.1 and
move to 2.11.1.2 (bug #196237).

Removing all arches that need to mark 2.11.1.2 stable and webapps here. Leaving
open for security since I don't know if there is anything left you still have
to do.

------- Comment #17 From Raphael Marichez 2007-10-22 20:24:01 0000 ------- 
non-persistent XSS. Only vulnerable with IE6 and not in its default conf. I
vote noglsa.

------- Comment #18 From Sune Kloppenborg Jeppesen 2007-10-22 20:40:53 0000 ------- 
Voting NO.

This one should be closed as soon as alpha and sparc stable 2.11.1.2

------- Comment #19 From Sune Kloppenborg Jeppesen 2007-10-25 18:51:33 0000 ------- 
This one can be closed now as well.