Bug 452497 (CVE-2008-2960)

Summary: CVE-2008-2960 phpMyAdmin: XSS on plausible insecure PHP installation (PMASA-2008-4)
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, mmcgrath
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-4
Fixed In Version: 2.11.7-1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-25 02:50:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robert Scheck 2008-06-23 12:58:46 UTC
Description of problem:
phpMyAdmin < 2.11.7-rc2 contains non-documented security bug: "Welcome to the 
second release candidate for phpMyAdmin 2.11.7, a bugfix-only release. This rc 
contains a security fix; an advisory will be published in a few days."

If I'm allowed to guess, it's the point "protection against XSS when 
register_globals is on and .htaccess has no effect, thanks to Tim Starling"
from the changes list below. But I'm not sure, of course.

Version-Release number of selected component (if applicable):

Additional info (http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0):
Fixes for 2.11.7.x:
- bug #1908719 [interface] New field cannot be auto-increment and 
  primary key 
- [dbi] Incorrect interpretation for some mysqli field flags 
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin 
  as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
  thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down 
- bug #1955386 [session] Overriding session.hash_bits_per_character 
- [interface] sanitize the table comments in table print view, 
  thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when 
  we know it for sure, thanks to Vladyslav Bakayev - dandy76 
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row 
- bug #1981043 [export] HTML in exports getting corrupted,
  thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB: 
  update/delete issues 
- protection against XSS when register_globals is on and .htaccess
  has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted); 
  detect Gecko 1.9, thanks to Juergen Wind

Comment 1 Fedora Update System 2008-06-23 13:06:53 UTC
phpMyAdmin-2.11.7-0.2.fc8 has been submitted as an update for Fedora 8

Comment 2 Robert Scheck 2008-06-23 18:28:44 UTC
phpMyAdmin security announcement PMASA-2008-4

Announcement-ID: PMASA-2008-4
Date: 2008-06-23

XSS on plausible insecure PHP installation 

We received an advisory from Tim Starling (Wikimedia), and we wish to thank him 
for his work. Some scripts in the /libraries directory were vulnerable to XSS. 

We consider this vulnerability to be serious. 

Mitigation factor:
We were able to reproduce this only on systems where both of these conditions 
are true: the PHP register_globals setting is "on" and the web server does not 
apply the settings contained in the .htaccess file that we placed in /

Affected versions:
Versions before 2.11.7. 

Upgrade to phpMyAdmin 2.11.7 or newer. 
References: Revision 11326 (http://phpmyadmin.svn.sourceforge.net/viewvc/

Comment 3 Robert Scheck 2008-06-23 18:29:59 UTC
Updates for F-8, F-9, EL-4 and EL-5 are currently building.

Comment 4 Tomas Hoger 2008-06-23 18:31:37 UTC
Is the reason why .htaccess file is no longer shipped in RPMs documented somewhere?

Comment 5 Fedora Update System 2008-06-23 18:33:52 UTC
phpMyAdmin-2.11.7-1.fc8 has been submitted as an update for Fedora 8

Comment 6 Fedora Update System 2008-06-23 18:34:30 UTC
phpMyAdmin-2.11.7-1.fc9 has been submitted as an update for Fedora 9

Comment 7 Robert Scheck 2008-06-23 18:41:14 UTC
Thomas, what do you mean? We've the following in the default configuration
taken from the original tarball where it exists in .htaccess - normally.

# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
<Directory /usr/share/phpMyAdmin/libraries>
    Order Deny,Allow
    Deny from All
    Allow from None

Anyway, the update is in the queue. Nobody knows, how broken the configuration
of some Fedora/EPEL users is ;-)

Comment 8 Tomas Hoger 2008-06-23 18:47:43 UTC
Ah, sorry, my bad, missed that one.

Comment 9 Fedora Update System 2008-06-25 02:50:01 UTC
phpMyAdmin-2.11.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-06-25 02:53:26 UTC
phpMyAdmin-2.11.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Tomas Hoger 2008-07-03 09:26:59 UTC

Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7,
when register_globals is enabled and .htaccess support is disabled,
allows remote attackers to inject arbitrary web script or HTML via
unspecified vectors involving scripts in libraries/.

Comment 12 Robert Scheck 2008-07-07 19:06:53 UTC
*** Bug 454333 has been marked as a duplicate of this bug. ***