Bug 452497 (CVE-2008-2960)
Summary: | CVE-2008-2960 phpMyAdmin: XSS on plausible insecure PHP installation (PMASA-2008-4) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, mmcgrath |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-4 | ||
Whiteboard: | |||
Fixed In Version: | 2.11.7-1.fc8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-06-25 02:50:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2008-06-23 12:58:46 UTC
phpMyAdmin-2.11.7-0.2.fc8 has been submitted as an update for Fedora 8 phpMyAdmin security announcement PMASA-2008-4 Announcement-ID: PMASA-2008-4 Date: 2008-06-23 Summary: XSS on plausible insecure PHP installation Description: We received an advisory from Tim Starling (Wikimedia), and we wish to thank him for his work. Some scripts in the /libraries directory were vulnerable to XSS. Severity: We consider this vulnerability to be serious. Mitigation factor: We were able to reproduce this only on systems where both of these conditions are true: the PHP register_globals setting is "on" and the web server does not apply the settings contained in the .htaccess file that we placed in / libraries. Affected versions: Versions before 2.11.7. Solution: Upgrade to phpMyAdmin 2.11.7 or newer. References: Revision 11326 (http://phpmyadmin.svn.sourceforge.net/viewvc/ phpmyadmin?view=rev&revision=11326) Updates for F-8, F-9, EL-4 and EL-5 are currently building. Is the reason why .htaccess file is no longer shipped in RPMs documented somewhere? phpMyAdmin-2.11.7-1.fc8 has been submitted as an update for Fedora 8 phpMyAdmin-2.11.7-1.fc9 has been submitted as an update for Fedora 9 Thomas, what do you mean? We've the following in the default configuration taken from the original tarball where it exists in .htaccess - normally. # This directory does not require access over HTTP - taken from the original # phpMyAdmin upstream tarball # <Directory /usr/share/phpMyAdmin/libraries> Order Deny,Allow Deny from All Allow from None </Directory> Anyway, the update is in the queue. Nobody knows, how broken the configuration of some Fedora/EPEL users is ;-) Ah, sorry, my bad, missed that one. phpMyAdmin-2.11.7-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. phpMyAdmin-2.11.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. CVE-2008-2960: Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/. *** Bug 454333 has been marked as a duplicate of this bug. *** |