Bug 452497 - (CVE-2008-2960) CVE-2008-2960 phpMyAdmin: XSS on plausible insecure PHP installation (PMASA-2008-4)
CVE-2008-2960 phpMyAdmin: XSS on plausible insecure PHP installation (PMASA-2...
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://www.phpmyadmin.net/home_page/s...
:
: CVE-2008-3032 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-23 08:58 EDT by Robert Scheck
Modified: 2008-07-07 15:06 EDT (History)
2 users (show)

See Also:
Fixed In Version: 2.11.7-1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-24 22:50:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-06-23 08:58:46 EDT
Description of problem:
phpMyAdmin < 2.11.7-rc2 contains non-documented security bug: "Welcome to the 
second release candidate for phpMyAdmin 2.11.7, a bugfix-only release. This rc 
contains a security fix; an advisory will be published in a few days."

If I'm allowed to guess, it's the point "protection against XSS when 
register_globals is on and .htaccess has no effect, thanks to Tim Starling"
from the changes list below. But I'm not sure, of course.

Version-Release number of selected component (if applicable):
phpMyAdmin-2.11.6-1

Additional info (http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0):
Fixes for 2.11.7.x:
- bug #1908719 [interface] New field cannot be auto-increment and 
  primary key 
- [dbi] Incorrect interpretation for some mysqli field flags 
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin 
  as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
  thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down 
- bug #1955386 [session] Overriding session.hash_bits_per_character 
- [interface] sanitize the table comments in table print view, 
  thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when 
  we know it for sure, thanks to Vladyslav Bakayev - dandy76 
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row 
- bug #1981043 [export] HTML in exports getting corrupted,
  thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB: 
  update/delete issues 
- protection against XSS when register_globals is on and .htaccess
  has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted); 
  detect Gecko 1.9, thanks to Juergen Wind
Comment 1 Fedora Update System 2008-06-23 09:06:53 EDT
phpMyAdmin-2.11.7-0.2.fc8 has been submitted as an update for Fedora 8
Comment 2 Robert Scheck 2008-06-23 14:28:44 EDT
phpMyAdmin security announcement PMASA-2008-4

Announcement-ID: PMASA-2008-4
Date: 2008-06-23

Summary:
XSS on plausible insecure PHP installation 

Description:
We received an advisory from Tim Starling (Wikimedia), and we wish to thank him 
for his work. Some scripts in the /libraries directory were vulnerable to XSS. 

Severity:
We consider this vulnerability to be serious. 

Mitigation factor:
We were able to reproduce this only on systems where both of these conditions 
are true: the PHP register_globals setting is "on" and the web server does not 
apply the settings contained in the .htaccess file that we placed in /
libraries. 

Affected versions:
Versions before 2.11.7. 

Solution:
Upgrade to phpMyAdmin 2.11.7 or newer. 
References: Revision 11326 (http://phpmyadmin.svn.sourceforge.net/viewvc/
phpmyadmin?view=rev&revision=11326)
Comment 3 Robert Scheck 2008-06-23 14:29:59 EDT
Updates for F-8, F-9, EL-4 and EL-5 are currently building.
Comment 4 Tomas Hoger 2008-06-23 14:31:37 EDT
Is the reason why .htaccess file is no longer shipped in RPMs documented somewhere?
Comment 5 Fedora Update System 2008-06-23 14:33:52 EDT
phpMyAdmin-2.11.7-1.fc8 has been submitted as an update for Fedora 8
Comment 6 Fedora Update System 2008-06-23 14:34:30 EDT
phpMyAdmin-2.11.7-1.fc9 has been submitted as an update for Fedora 9
Comment 7 Robert Scheck 2008-06-23 14:41:14 EDT
Thomas, what do you mean? We've the following in the default configuration
taken from the original tarball where it exists in .htaccess - normally.

# This directory does not require access over HTTP - taken from the original
# phpMyAdmin upstream tarball
#
<Directory /usr/share/phpMyAdmin/libraries>
    Order Deny,Allow
    Deny from All
    Allow from None
</Directory>

Anyway, the update is in the queue. Nobody knows, how broken the configuration
of some Fedora/EPEL users is ;-)
Comment 8 Tomas Hoger 2008-06-23 14:47:43 EDT
Ah, sorry, my bad, missed that one.
Comment 9 Fedora Update System 2008-06-24 22:50:01 EDT
phpMyAdmin-2.11.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2008-06-24 22:53:26 EDT
phpMyAdmin-2.11.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Tomas Hoger 2008-07-03 05:26:59 EDT
CVE-2008-2960:

Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.11.7,
when register_globals is enabled and .htaccess support is disabled,
allows remote attackers to inject arbitrary web script or HTML via
unspecified vectors involving scripts in libraries/.
Comment 12 Robert Scheck 2008-07-07 15:06:53 EDT
*** Bug 454333 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.