When you grant privileges to databases with underscore character in their name via phpMyAdmin, you end up with user having wildcard privileges like in Bug 83163. Reproducible: Always Steps to Reproduce: 1. Create test_db 2. Create user test 3. Click on "Privileges" - Select user test 4. On next screen select test_db in "Add privileges on the following database" drop-down menu 5. On "Edit Privileges" screen check all fields except GRANT and click on "Go" Actual Results: You have updated the privileges for 'test'@'localhost'. SQL-query: GRANT ALL PRIVILEGES ON `test_db` . * TO 'test'@'localhost'; Now the user has wildcard privileges and can create databases as described in Bug 83163 when he logs into MySQL. Expected Results: GRANT ALL PRIVILEGES ON `test\_db` . * TO 'test'@'localhost'; This is inconsistent and insecure behaviour because phpMyAdmin grants wildcard privileges while it is expected not to do so. You therefore cannot grant privileges to databases with underscored names via phpMyAdmin GUI. The only viable option it to use SQL statement on mysql database instead. This defeats one of the main purposes of using GUI for MySQL administration. phpMyAdmin should escape underscore character in database name when granting rights on database level but this behaviour was probably broken when fixing the bug 6b mentioned at http://sourceforge.net/tracker/index.php?func=detail&aid=1056706&group_id=23067&atid=377408 (which was dealing with error when granting permissions on table level)
Apparently fixed in upstream : http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/server_privileges.php?r1=2.40&r2=2.42 Reporter: please try to apply patch and check it fixes the problem. twp: we might need a new bump before releasing GLSA :)
Affirmative, captain. ;-) GRANT ALL PRIVILEGES ON `test\_db` . * TO 'test'@'localhost'; Now I can finally have some sleep. Thank you very much!
Martin (mholzer) -- Could you bump this please? I won't have time to look at this until Monday evening at the earliest. Could you take maintainership of phpmyadmin? Cheers, Tom
2.6.1_p2-r1 is in cvs, stable x86. CC'd archs please stable.
Created attachment 52466 [details] failed patch This patch does not work - see attachment * Applying 2.6.1_p2-no-wildcard-privs-for-you.patch ... * Failed Patch: 2.6.1_p2-no-wildcard-privs-for-you.patch! * * Include in your bugreport the contents of: * * /var/tmp/portage/phpmyadmin-2.6.1_p2-r1/temp/2.6.1_p2-no-wildcard-privs-for-you.patch-32018.out
Created attachment 52467 [details, diff] working patch Note the redundant path phpmyadmin/phpMyAdmin/ was stripped. ;-)
Also note that the post-install instructions are now wrong again (version changed) 1. Update MySQL's grant tables and the pmadb database: mysql -u root -p < /usr/share/webapps/phpmyadmin/2.6.1_p2/sqlscripts/mysql/2.6.1_p2_create.sql
Aaron: patch fails, see above
Actually it has nothing to do with the patch. As I originally thought it's due to the $Id: $ change in the source file. cvs see's this and automatically updates the timestamp, thus causing the patch to fail. I've had to patch the sources then change the $Id back then re-diff ;) Fixed. I've also updated the ebuild to automatically update the postinst-en.txt file that gets installed so that PVR is set correctly.
err s/patch/paths/
OK, it works now. :-)
Arches, please mark latest stable
Stable on ppc.
stable on amd64
Stable on SPARC.
Stable on alpha.
GLSA 200503-07
This bug should also be fixed in phpMyAdmin-2.6.1-pl3.
*** Bug 85556 has been marked as a duplicate of this bug. ***
ebuild no longer in portage.
