Debian Bug report logs - #335306
CVE-2005-3300: Local file inclusion vulnerability

version graph

Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debian.org>; Source for phpmyadmin is src:phpmyadmin.

Reported by: 4:2.6.2-3

Date: Sun, 23 Oct 2005 09:48:08 UTC

Severity: grave

Tags: fixed, sarge, security

Found in version phpmyadmin/4:2.6.2-3

Fixed in versions phpmyadmin/4:2.6.4-pl3-1, 4:2.6.2-3sarge1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#335306; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: Yet another local file inclusion vulnerability
Date: Sun, 23 Oct 2005 11:37:39 +0200
Package: phpmyadmin
Tags: security
Severity: grave

This one seems to be different from the vulnerability mentioned in
Debian bug #333433.

From: Stefan Esser <sesser@hardened-php.net>
Subject: [Full-disclosure] Advisory 16/2005: phpMyAdmin Local File Inclusion
	Vulnerability
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Date: Sat, 22 Oct 2005 15:33:46 +0200
Message-ID: <20051022133346.GA7506@hardened-php.net>


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: phpMyAdmin Local File Inclusion Vulnerability
 Release Date: 2005/10/22
Last Modified: 2005/10/22
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: phpMyAdmin <= 2.6.4-pl2
     Severity: A design flaw within phpMyAdmin allows inclusion
               of arbitrary files, which usually leads to remote
    	       code execution
         Risk: Critical
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory_162005.73.html

[...]



Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#335306; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #10 received at 335306@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 335306@bugs.debian.org
Subject: CVE assignment
Date: Mon, 24 Oct 2005 11:23:56 +0200
The CVE project has assigned the name CVE-2005-3300 to this
vulnerability.  Please mention it in the changelog when uploading
fixed packages.



Reply sent to Piotr Roszatycki <dexter@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 335306-close@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <dexter@debian.org>
To: 335306-close@bugs.debian.org
Subject: Bug#335306: fixed in phpmyadmin 4:2.6.4-pl3-1
Date: Mon, 24 Oct 2005 13:32:58 -0700
Source: phpmyadmin
Source-Version: 4:2.6.4-pl3-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.6.4-pl3-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1.diff.gz
phpmyadmin_2.6.4-pl3-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1.dsc
phpmyadmin_2.6.4-pl3-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1_all.deb
phpmyadmin_2.6.4-pl3.orig.tar.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 335306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 24 Oct 2005 20:14:08 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl3-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description: 
 phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 335306 335513
Changes: 
 phpmyadmin (4:2.6.4-pl3-1) unstable; urgency=high
 .
   * New upstream release.
   * Security fix: (1) Local file inclusion vulnerability and (2) Cross-Site
     Scripting vulnerability.
     See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3300
     See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3301
     Closes: #335306, #335513.
   * Assigned CVE number for 4:2.6.4-pl2-1 bug fix.
Files: 
 b76157341450a63bbcbbbfa833f0e970 646 web extra phpmyadmin_2.6.4-pl3-1.dsc
 69cc488cb259a5b6f2bd83c95d1b94d2 2777834 web extra phpmyadmin_2.6.4-pl3.orig.tar.gz
 9fcb9225e9ee4a0fe67960deef9366dd 30725 web extra phpmyadmin_2.6.4-pl3-1.diff.gz
 3a0d95dba07006c4f6d89b0365bd6367 2923084 web extra phpmyadmin_2.6.4-pl3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDXSrfhMHHe8CxClsRAudZAJ472YLaoGzJ9sT5pd787J4wutUfWQCg0SbX
jjJYiOWdfPwgoRzFV9hDOo0=
=m/Yg
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 4:2.6.2-3. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4:2.6.4-pl3-1, send any further explanations to Florian Weimer <fw@deneb.enyo.de> Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator set to 4:2.6.2-3. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4:2.6.4-pl3-1, send any further explanations to 4:2.6.2-3 Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#335306; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #34 received at 335306@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
To: 335306@bugs.debian.org
Subject: CVE-2005-3300: phpMyAdmin: including arbitrary files by using direct requests to library scripts
Date: Fri, 28 Oct 2005 15:33:46 +0200
[Message part 1 (text/plain, inline)]
The patch for sarge, also fixes CVE-2005-3301 and  CAN-2005-2869.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-
[phpmyadmin_2.6.2-3sarge1.diff (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Tags added: fixed Request was from Noah Meyerhans <noahm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Noah Meyerhans <noahm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4:2.6.2-3sarge1, send any further explanations to 4:2.6.2-3 Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 11:25:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:07:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.