Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

2.11.1.2 is now released to fix this vulnerability and some other bugs.
More information about the problem at
http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html
The exact fix:
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/server_status.php?r1=10704&r2=10797&view=patch


Reproducible: Always

Steps to Reproduce:

Sorry for the noise, but to correct myself, it wasn't only server_status.php
that the phpMyAdmin team fixed up, it was some other files as you can see at
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=10796

Added mysql and webapp to CC

Phew...

phpmyadmin-2.11.1.2 in CVS

You know the drill...

Targets: alpha amd64 hppa ppc ppc64 sparc x86 

Stable for HPPA.

ppc stable

ppc64 stable

x86 stable

CVE-2007-5589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5589):
  Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
  2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
  certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
  grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
  common.lib.php in libraries/; and certain input available in PHP_SELF and (2)
  PATH_INFO in libraries/common.inc.php.  NOTE: there might also be other
  vectors related to (3) REQUEST_URI.

amd64 stable

dev-db/phpmyadmin-2.11.1.2

1. Emerges on SPARC64.
2. No collisions.
3. Package includes no tests
4. After struggling with the package for a long time to get the config working,
the file must be on /var/www/<hostname>/htdocs/phpmyadmin/config.inc.php and
not .../phpmyadmin/config/config.inc.php, it worked fine.
I've created a few tables, through the wizard and with sql commands, changed
column definitions searched for data, browsed the tables and dropped a table.

emerge --info:
Portage 2.1.3.9 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.17-gentoo-r8 sparc64)
=================================================================
System uname: 2.6.17-gentoo-r8 sparc64 sun4u
Timestamp of tree: Sat, 20 Oct 2007 11:50:01 +0000
app-shells/bash:     3.2_p17
dev-lang/python:     2.4.4-r5
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.7.9-r1, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="sparc"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/
/etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild
/etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -mcpu=ultrasparc3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protection distlocks metadata-transfer parallel-fetch
sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
ftp://ftp.gentoo-pt.org/pub/gentoo ftp://mirrors1.netvisao.pt/gentoo/
http://trumpetti.tut.atm.fi/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://atl64.acores.pt/gentoo-portage"
USE="bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog
midi mudflap nls nptl nptlonly openmp pam pcre ppds pppd reflection session
sparc spl tcpd test truetype-fonts type1-fonts unicode vhosts xorg"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint mach64 mga
r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx v4l voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Stable on sparc.

In alpha we are having some weird problems with mysql, so please give as a
couple of days to see if can fix them first.

Drop me a comment if this bug is *really* urgent.

Stable in alpha.

Our problem with mysql seems to be kernel related so phpmyadmin doesn't have
anything to do with it. Sorry for the delay.

@security: we are the last arch, ready for you.

Welcome to the polling booth - It's a vote!

Oh, a vote here as well:) I tend to vote YES.

The insecure versions were removed from the tree. webapps is done here.

(In reply to comment #13)
> Oh, a vote here as well:) I tend to vote YES.
> 

Huh? yes for a simple xss? Is there a specific reason? We got at least one vuln
like this every week on a random web-app, and generally speaking we don't
release glsas for just an xss... So voting NO unless you explain me why we
should have a glsa for that :)

I just had to be a bit positive:) Everyone here in .dk tend to vote NO whenever
they get the chance and without any specific reason.

TBH you're absolutely correct so I'm reversing to full NO and closing.