Description of problem: phpMyAdmin < 2.11.7-rc2 contains non-documented security bug: "Welcome to the second release candidate for phpMyAdmin 2.11.7, a bugfix-only release. This rc contains a security fix; an advisory will be published in a few days." If I'm allowed to guess, it's the point "protection against XSS when register_globals is on and .htaccess has no effect, thanks to Tim Starling" from the changes list below. But I'm not sure, of course. Version-Release number of selected component (if applicable): phpMyAdmin-2.11.6-1 Additional info (http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0): Fixes for 2.11.7.x: - bug #1908719 [interface] New field cannot be auto-increment and primary key - [dbi] Incorrect interpretation for some mysqli field flags - bug #1910621 [display] part 1: do not display a TEXT utf8_bin as BLOB (fixed for mysqli extension only) - [interface] sanitize the after_field parameter, thanks to Norman Hippert - [structure] do not remove the BINARY attribute in drop-down - bug #1955386 [session] Overriding session.hash_bits_per_character - [interface] sanitize the table comments in table print view, thanks to Norman Hippert - bug #1939031 Auto_Increment selected for TimeStamp by Default - patch #1957998 [display] No tilde for InnoDB row counter when we know it for sure, thanks to Vladyslav Bakayev - dandy76 - bug #1955572 [display] alt text causes duplicated strings - bug #1762029 [interface] Cannot upload BLOB into existing row - bug #1981043 [export] HTML in exports getting corrupted, thanks to Jason Judge - jasonjudge - bug #1936761 [interface] BINARY not treated as BLOB: update/delete issues - protection against XSS when register_globals is on and .htaccess has no effect, thanks to Tim Starling - bug #1996943 [export] Firefox 3 and .sql.gz (corrupted); detect Gecko 1.9, thanks to Juergen Wind
phpMyAdmin-2.11.7-0.2.fc8 has been submitted as an update for Fedora 8
phpMyAdmin security announcement PMASA-2008-4 Announcement-ID: PMASA-2008-4 Date: 2008-06-23 Summary: XSS on plausible insecure PHP installation Description: We received an advisory from Tim Starling (Wikimedia), and we wish to thank him for his work. Some scripts in the /libraries directory were vulnerable to XSS. Severity: We consider this vulnerability to be serious. Mitigation factor: We were able to reproduce this only on systems where both of these conditions are true: the PHP register_globals setting is "on" and the web server does not apply the settings contained in the .htaccess file that we placed in / libraries. Affected versions: Versions before 2.11.7. Solution: Upgrade to phpMyAdmin 2.11.7 or newer. References: Revision 11326 (http://phpmyadmin.svn.sourceforge.net/viewvc/ phpmyadmin?view=rev&revision=11326)
Updates for F-8, F-9, EL-4 and EL-5 are currently building.
Is the reason why .htaccess file is no longer shipped in RPMs documented somewhere?
phpMyAdmin-2.11.7-1.fc8 has been submitted as an update for Fedora 8
phpMyAdmin-2.11.7-1.fc9 has been submitted as an update for Fedora 9
Thomas, what do you mean? We've the following in the default configuration taken from the original tarball where it exists in .htaccess - normally. # This directory does not require access over HTTP - taken from the original # phpMyAdmin upstream tarball # <Directory /usr/share/phpMyAdmin/libraries> Order Deny,Allow Deny from All Allow from None </Directory> Anyway, the update is in the queue. Nobody knows, how broken the configuration of some Fedora/EPEL users is ;-)
Ah, sorry, my bad, missed that one.
phpMyAdmin-2.11.7-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-2.11.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2008-2960: Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7, when register_globals is enabled and .htaccess support is disabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving scripts in libraries/.
*** Bug 454333 has been marked as a duplicate of this bug. ***