Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 87952

Summary: dev-db/phpmyadmin: PMASA-2005-3 XSS vulnerability
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3
Whiteboard: B4 [glsa] lewk
Package list:
Runtime testing required: ---
Attachments:
Description Flags
phpMyAdmin 2.6.2-rc1 ebuild patch none

Description Luke Macken (RETIRED) gentoo-dev 2005-04-04 13:06:36 UTC 
==========================================================
Title: phpMyAdmin Cross-site Scripting Vulnerability

Application: phpMyAdmin
Vendor: http://www.phpmyadmin.net
Vulnerable Versions: <=2.6.2-beta1
Corrected: phpMyAdmin versions after 2.6.2-beta1
Bug: Cross-site Scripting
Date: 3-Apr-2005

Author: Oriol Torrent Santiago < oriol.torrent@gmail.com >

==========================================================

1) Background
   -----------
 phpMyAdmin is a tool written in PHP intended to handle the administration
 of MySQL over the Web. Currently it can create  and drop databases,
 create/drop/alter tables, delete/edit/add fields, execute any SQL statement,
 manage keys on fields,  manage privileges,export data into various formats
 and is available in 47 languages.


2) Problem description
   --------------------

 phpMyAdmin <=2.6.2-beta1 contain a vulnerability is caused due to
 missing validation of input supplied to "convcharset" variable.

 This can be exploited to execute arbitrary HTML and script code(JavaScript,
 VBScript,etc.) in a user's browser session in context of a vulnerable site.
 It allows an attacker to use the vulnerability to compromise the phpMyAdmin
 account, cookie theft, etc.


 Ex1:
 http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><script>alert(document.cookie)</script>

 Ex2:
 http://host/phpmyadmin/index.php?pma_username=&pma_password=&server=1&lang=en-iso-8859-1&convcharset=\"><h1>XSS</h1>

3) Solution:
   ---------

 Vendor was contacted on the 29th of March 2005 and new version is released
  
 Download the latest version of phpMyAdmin


4) Timeline
   --------

29/03/2005  Bug discovered
29/03/2005  Vendor notified
29/03/2005  Vendor response and bug fixed
03/04/2005  New version released
03/04/2005  Advisory released
Comment 1 Luke Macken (RETIRED) gentoo-dev 2005-04-04 13:09:08 UTC 
twp, please bump.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2005-04-08 07:55:51 UTC 
Created attachment 55674 [details, diff]
phpMyAdmin 2.6.2-rc1 ebuild patch

Someone please bump. ;-)
Comment 3 Aaron Walker (RETIRED) gentoo-dev 2005-04-08 09:20:26 UTC 
> Someone please bump. ;-)
sure.

Stable on x86. CC'd archs please stabilize.
Comment 4 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-08 10:24:28 UTC 
Stable on ppc.
Comment 5 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-08 11:32:48 UTC 
Alpha stable.
Comment 6 Guy Martin (RETIRED) gentoo-dev 2005-04-08 12:26:47 UTC 
Stable on hppa.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-08 17:55:29 UTC 
sparc stable.
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-04-09 04:13:24 UTC 
amd64 done
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-04-09 04:56:49 UTC 
Security please vote on GLSA need
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-04-10 09:51:54 UTC 
We issued a Low GLSA for previous XSS things in phpmyadmin (200411-36), and phpmyadmin team finds the issue serious, so I think we should do one. so YES
Comment 11 Luke Macken (RETIRED) gentoo-dev 2005-04-10 16:15:52 UTC 
I vote YES as well.

2 YES votes == A GLSA will be released for this issue.
Comment 12 Luke Macken (RETIRED) gentoo-dev 2005-04-11 12:18:50 UTC 
GLSA 200504-08