Bug 455520 (CVE-2008-3197)

Summary: CVE-2008-3197 phpMyAdmin: XSRF/CSRF by manipulating the db (PMASA-2008-5)
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: mmcgrath
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
Whiteboard:
Fixed In Version: 2.11.7.1-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-15 21:11:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2008-07-15 20:45:01 UTC 
Description of problem:
phpMyAdmin < 2.11.7.1 contains a not clearly documented security bug: "Welcome 
to phpMyAdmin 2.11.7.1, a security fix version. The security announcement will 
follow on http://www.phpmyadmin.net."

Version-Release number of selected component (if applicable):
phpMyAdmin-2.11.7-1

Additional info (http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0):
Fixes for 2.11.7.x:
- bug #1908719 [interface] New field cannot be auto-increment and primary key 
- [dbi] Incorrect interpretation for some mysqli field flags 
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin as BLOB (fixed 
  for mysqli extension only)
- [interface] sanitize the after_field parameter, thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down 
- bug #1955386 [session] Overriding session.hash_bits_per_character 
- [interface] sanitize the table comments in table print view, thanks to Norman 
  Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when we know it for 
  sure, thanks to Vladyslav Bakayev - dandy76 
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row 
- bug #1981043 [export] HTML in exports getting corrupted, thanks to Jason 
  Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB: update/delete issues 
- protection against XSS when register_globals is on and .htaccess has no 
  effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted); detect Gecko 1.9, 
  thanks to Juergen Wind
- (2.11.7.1)  [security] XSRF/CSRF by manipulating the db, convcharset and 
  collation_connection parameters, thanks to YGN Ethical Hacker Group
Comment 1 Fedora Update System 2008-07-15 20:58:16 UTC 
phpMyAdmin-2.11.7.1-1.fc8 has been submitted as an update for Fedora 8
Comment 2 Fedora Update System 2008-07-15 20:58:18 UTC 
phpMyAdmin-2.11.7.1-1.fc9 has been submitted as an update for Fedora 9
Comment 3 Tomas Hoger 2008-07-16 18:05:10 UTC 
CVE-2008-3197:
Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before
2.11.7.1 allows remote attackers to perform unauthorized actions via a
link or IMG tag to (1) the "Creating a Database" functionality
(db_create.php) and (2) unspecified vectors that modify the connection
character set.

Upstream advisory:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-5
Comment 4 Fedora Update System 2008-07-17 14:13:10 UTC 
phpMyAdmin-2.11.7.1-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2008-07-17 14:20:54 UTC 
phpMyAdmin-2.11.7.1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.