Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 104124

Summary: dev-db/phpmyadmin: 2 XSS issues
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
Whiteboard: B4 [noglsa] DerCorny
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-29 05:19:55 UTC 
XSS on table creation page 
XSS on the cookie-based login panel
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-29 05:57:59 UTC 
web-apps team, please provide an fixed ebuild, thanks.
Comment 2 Renat Lumpau (RETIRED) gentoo-dev 2005-08-29 08:08:46 UTC 
I committed 2.6.4_rc1 last night
Comment 3 Jean-François Brunette (RETIRED) gentoo-dev 2005-08-29 09:37:42 UTC 
Arches, please test and mark stable
Comment 4 Renat Lumpau (RETIRED) gentoo-dev 2005-08-29 09:59:59 UTC 
stable on x86
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2005-08-29 10:58:50 UTC 
sparc stable.
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-29 13:08:28 UTC 
Stable on ppc and hppa.
Comment 7 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-08-29 13:28:25 UTC 
Stable on amd64.
Comment 8 Chris Russell (RETIRED) gentoo-dev 2005-08-30 03:47:59 UTC 
this was odd, the post-install instructions issued after the upgrade had the old
version listed, not the new one... (see below)
I ran "# mysql -u root -p <
/usr/share/webapps/phpmyadmin/2.6.4_rc1/sqlscripts/mysql/2.6.4_rc1_create.sql"
manually but the less observant might miss it.




# webapp-config -U -h localhost -d phpmyadmin phpmyadmin 2.6.4_rc1
 * Upgrading phpmyadmin-2.6.2-r2 to phpmyadmin-2.6.4_rc1
 *   Installed by root on 2005-05-07 14:36:09
 *   Config files owned by root:root

 *   Creating required directories
 *   Linking in required files
 *     This can take several minutes for larger apps
--- cfgpro file config.inc.php
^o^ hiding ./._cfg0000_config.inc.php
 *   Files and directories installed

 * One or more files have been config protected
 * To complete your install, you need to run this command:
 * 
 *   CONFIG_PROTECT="/var/www/localhost/htdocs/phpmyadmin" etc-update

 * Install completed - success
 * Removing old version phpmyadmin-2.6.2-r2
--- cfgpro file config.inc.php
<snipped>
 * Remove whatever is listed above by hand

=================================================================
POST-INSTALL INSTRUCTIONS
=================================================================

To complete installation, you must

1. Update MySQL's grant tables and the pmadb database:
     mysql -u root -p <
/usr/share/webapps/phpmyadmin/2.6.2-r2/sqlscripts/mysql/2.6.2-r2_create.sql

If <snip>
Comment 9 Renat Lumpau (RETIRED) gentoo-dev 2005-08-30 05:46:09 UTC 
See bug #98142
Comment 10 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-08-30 12:19:55 UTC 
2.6.4_rc1 stable on alpha. 

Sorry about the delay :)
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-30 12:29:28 UTC 
This one is ready for GLSA vote, I tend to vote NO.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-30 19:57:12 UTC 
i'd say no, too
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-08-31 00:26:18 UTC 
I agree it's lame (XSS on a typically Intranet/admin tool), but we did GLSAs for
this in the past (see GLSA 200504-08), so I'll play the devil's advocate and
vote YES :) 

[that said, the phpmyadmin folks didn't even issue an advisory about this one]
Comment 14 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-08-31 00:31:28 UTC 
I don't know if I count as anything here, but as part of web-apps, and one of 
the upstream authors, I'd like to vote no.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-31 00:48:32 UTC 
Voting full NO and Closing. Feel free to reopen if you disagree.