2.11.1.2 is now released to fix this vulnerability and some other bugs. More information about the problem at http://www.digitrustgroup.com/advisories/TDG-advisory071015a.html The exact fix: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/server_status.php?r1=10704&r2=10797&view=patch Reproducible: Always Steps to Reproduce:
Sorry for the noise, but to correct myself, it wasn't only server_status.php that the phpMyAdmin team fixed up, it was some other files as you can see at http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=10796 Added mysql and webapp to CC
Phew... phpmyadmin-2.11.1.2 in CVS You know the drill... Targets: alpha amd64 hppa ppc ppc64 sparc x86
Stable for HPPA.
ppc stable
ppc64 stable
x86 stable
CVE-2007-5589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5589): Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via certain input available in (1) PHP_SELF in (a) server_status.php, and (b) grab_globals.lib.php, (c) display_change_password.lib.php, and (d) common.lib.php in libraries/; and certain input available in PHP_SELF and (2) PATH_INFO in libraries/common.inc.php. NOTE: there might also be other vectors related to (3) REQUEST_URI.
amd64 stable
dev-db/phpmyadmin-2.11.1.2 1. Emerges on SPARC64. 2. No collisions. 3. Package includes no tests 4. After struggling with the package for a long time to get the config working, the file must be on /var/www/<hostname>/htdocs/phpmyadmin/config.inc.php and not .../phpmyadmin/config/config.inc.php, it worked fine. I've created a few tables, through the wizard and with sql commands, changed column definitions searched for data, browsed the tables and dropped a table. emerge --info: Portage 2.1.3.9 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.17-gentoo-r8 sparc64) ================================================================= System uname: 2.6.17-gentoo-r8 sparc64 sun4u Timestamp of tree: Sat, 20 Oct 2007 11:50:01 +0000 app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r5 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.7.9-r1, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="sparc" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-O2 -mcpu=ultrasparc3 -pipe" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -mcpu=ultrasparc3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protection distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.gentoo-pt.org/pub/gentoo ftp://mirrors1.netvisao.pt/gentoo/ http://trumpetti.tut.atm.fi/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://atl64.acores.pt/gentoo-portage" USE="bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog midi mudflap nls nptl nptlonly openmp pam pcre ppds pppd reflection session sparc spl tcpd test truetype-fonts type1-fonts unicode vhosts xorg" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="dummy fbdev glint mach64 mga r128 radeon sunbw2 suncg14 suncg3 suncg6 sunffb sunleo tdfx v4l voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Stable on sparc. In alpha we are having some weird problems with mysql, so please give as a couple of days to see if can fix them first. Drop me a comment if this bug is *really* urgent.
Stable in alpha. Our problem with mysql seems to be kernel related so phpmyadmin doesn't have anything to do with it. Sorry for the delay. @security: we are the last arch, ready for you.
Welcome to the polling booth - It's a vote!
Oh, a vote here as well:) I tend to vote YES.
The insecure versions were removed from the tree. webapps is done here.
(In reply to comment #13) > Oh, a vote here as well:) I tend to vote YES. > Huh? yes for a simple xss? Is there a specific reason? We got at least one vuln like this every week on a random web-app, and generally speaking we don't release glsas for just an xss... So voting NO unless you explain me why we should have a glsa for that :)
I just had to be a bit positive:) Everyone here in .dk tend to vote NO whenever they get the chance and without any specific reason. TBH you're absolutely correct so I'm reversing to full NO and closing.