Red Hat Bugzilla – Bug 452497
CVE-2008-2960 phpMyAdmin: XSS on plausible insecure PHP installation (PMASA-2008-4)
Last modified: 2008-07-07 15:06:53 EDT
Description of problem:
phpMyAdmin < 2.11.7-rc2 contains non-documented security bug: "Welcome to the
second release candidate for phpMyAdmin 2.11.7, a bugfix-only release. This rc
contains a security fix; an advisory will be published in a few days."
If I'm allowed to guess, it's the point "protection against XSS when
register_globals is on and .htaccess has no effect, thanks to Tim Starling"
from the changes list below. But I'm not sure, of course.
Version-Release number of selected component (if applicable):
Additional info (http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0):
Fixes for 2.11.7.x:
- bug #1908719 [interface] New field cannot be auto-increment and
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
phpMyAdmin-2.11.7-0.2.fc8 has been submitted as an update for Fedora 8
phpMyAdmin security announcement PMASA-2008-4
XSS on plausible insecure PHP installation
We received an advisory from Tim Starling (Wikimedia), and we wish to thank him
for his work. Some scripts in the /libraries directory were vulnerable to XSS.
We consider this vulnerability to be serious.
We were able to reproduce this only on systems where both of these conditions
are true: the PHP register_globals setting is "on" and the web server does not
apply the settings contained in the .htaccess file that we placed in /
Versions before 2.11.7.
Upgrade to phpMyAdmin 2.11.7 or newer.
References: Revision 11326 (http://phpmyadmin.svn.sourceforge.net/viewvc/
Updates for F-8, F-9, EL-4 and EL-5 are currently building.
Is the reason why .htaccess file is no longer shipped in RPMs documented somewhere?
phpMyAdmin-2.11.7-1.fc8 has been submitted as an update for Fedora 8
phpMyAdmin-2.11.7-1.fc9 has been submitted as an update for Fedora 9
Thomas, what do you mean? We've the following in the default configuration
taken from the original tarball where it exists in .htaccess - normally.
# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
Deny from All
Allow from None
Anyway, the update is in the queue. Nobody knows, how broken the configuration
of some Fedora/EPEL users is ;-)
Ah, sorry, my bad, missed that one.
phpMyAdmin-2.11.7-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-2.11.7-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7,
when register_globals is enabled and .htaccess support is disabled,
allows remote attackers to inject arbitrary web script or HTML via
unspecified vectors involving scripts in libraries/.
*** Bug 454333 has been marked as a duplicate of this bug. ***