Debian Bug report logs - #362567
CVE-2006-1678: Multiple cross-site scripting (XSS) vulnerabilities

version graph

Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debian.org>; Source for phpmyadmin is src:phpmyadmin.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Fri, 14 Apr 2006 09:03:09 UTC

Severity: important

Tags: sarge, security

Fixed in version phpmyadmin/4:2.8.0.3-1

Done: Piotr Roszatycki <dexter@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Piotr Roszatycki <dexter@debian.org>:
Bug#362567; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-1678: Multiple cross-site scripting (XSS) vulnerabilities
Date: Fri, 14 Apr 2006 10:53:39 +0200
Package: phpmyadmin
Severity: grave
Tags: security

CVE-2006-1678:
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
before 2.8.0.3 allow remote attackers to inject arbitrary web script
or HTML via unknown vectors in unspecified scripts in the themes
directory.

Please mention the CVE id in the changelog.



Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#362567; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Piotr Roszatycki <dexter@n1.pl>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #10 received at 362567@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <dexter@n1.pl>
To: Stefan Fritsch <sf@sfritsch.de>, 362567@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#362567: CVE-2006-1678: Multiple cross-site scripting (XSS) vulnerabilities
Date: Fri, 14 Apr 2006 13:41:10 +0200
severity 362567 important
thanks

I'm lowering the bug severity, because it is not exploitable if 
register_globals are disabled and it is the default configuration for Debian.

On Friday 14 April 2006 10:53, Stefan Fritsch wrote: 
> Package: phpmyadmin
> Severity: grave
> Tags: security
>
> CVE-2006-1678:
> Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
> before 2.8.0.3 allow remote attackers to inject arbitrary web script
> or HTML via unknown vectors in unspecified scripts in the themes
> directory.
>
> Please mention the CVE id in the changelog.

-- 
 .''`.    Piotr Roszatycki
: :' :    mailto:dexter@n1.pl
`. `'     mailto:dexter@debian.org
  `-



Severity set to `important'. Request was from Piotr Roszatycki <dexter@n1.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Piotr Roszatycki <dexter@n1.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Piotr Roszatycki <dexter@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 362567-close@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <dexter@debian.org>
To: 362567-close@bugs.debian.org
Subject: Bug#362567: fixed in phpmyadmin 4:2.8.0.3-1
Date: Fri, 14 Apr 2006 06:17:09 -0700
Source: phpmyadmin
Source-Version: 4:2.8.0.3-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.8.0.3-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.8.0.3-1.diff.gz
phpmyadmin_2.8.0.3-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.8.0.3-1.dsc
phpmyadmin_2.8.0.3-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.8.0.3-1_all.deb
phpmyadmin_2.8.0.3.orig.tar.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.8.0.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 362567@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 14 Apr 2006 14:47:28 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.8.0.3-1
Distribution: unstable
Urgency: medium
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description: 
 phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 362567
Changes: 
 phpmyadmin (4:2.8.0.3-1) unstable; urgency=medium
 .
   * New upstream release.
   * Security fix: XSS vulnerability (calling directly css files under themes)
     See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-1
     See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1678
     Closes: #362567.
Files: 
 ebfec12e5cae4d6e20282bf411e9b428 642 web extra phpmyadmin_2.8.0.3-1.dsc
 1ca0b652e39010d906e3ea3a02fb9d82 3453452 web extra phpmyadmin_2.8.0.3.orig.tar.gz
 890f804b5f80ae4d175eb33b4c9ac31b 37878 web extra phpmyadmin_2.8.0.3-1.diff.gz
 5d7a0b86c07f1b2212ed4bca9e9d1686 3621114 web extra phpmyadmin_2.8.0.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEP56qhMHHe8CxClsRAnJtAJ9sjr36TbNXhPrGoFkV/d80UCP9nQCbBCJE
0KQx6mKFl9gR14+yq0qjbbo=
=pa3B
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#362567; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #24 received at 362567@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 339437@bugs.debian.org, 340438@bugs.debian.org, 362567@bugs.debian.org, 368082@bugs.debian.org
Cc: control@bugs.debian.org, team@security.debian.org
Subject: phpMyAdmin security vulnerabilities for sarge
Date: Thu, 03 Aug 2006 13:22:37 +0200
[Message part 1 (text/plain, inline)]
close 360726 4:2.6.2-3sarge1
thanks

Hello All,

I've checked out all open CVE's with respect to sarge. All are already
fixed in sid. I've prepared a package that fixes the ones that are
relevant. See the breakdown here:

> CVE-2005-3621   CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 allows ...

Vulnerable, fixed in update.

> CVE-2005-3665   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

Vulnerable, fixed in update.

> CVE-2005-3787   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

This was all already fixed in 4:2.6.2-3sarge1.

> CVE-2006-1258   Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.1 allows ...

Code not present in sarge - can be marked as not vulnerable.

> CVE-2006-1678   Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin ...

Vulnerable, fixed in update.

> CVE-2006-1803   Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin ...

Can not reproduce and in suggested to be a false duplicate of
CVE-2006-1804. I'm considering this one to be not vulnerable in sarge.

> CVE-2006-1804   XSRF SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows ...

Our sarge version doesn't have the whole XSRF-countering-mechanism so
this requires major code overhauls to address. XSRF is very common in
webapps and not easily fixed; it's doubtful if it's at all fixable.

> CVE-2006-2031   Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin ...

Not vulnerable, code not present in sarge.

> CVE-2006-2417   Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.0.x before ...

Not vulnerable, code not present in sarge.

> CVE-2006-2418   Cross-site scripting (XSS) vulnerabilities in certain versions of ...

Vulnerable, fixed in update.

> CVE-2006-3388   Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 ...

Not vulnerable, code not present in sarge.

I've prepared an updated package, it can be found here:
http://www.a-eskwadraat.nl/~kink/debian/

Please let me know if it's ok and I'll upload it to the security
archive.


Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#362567; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #29 received at 362567@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: 339437@bugs.debian.org, 340438@bugs.debian.org, 362567@bugs.debian.org, 368082@bugs.debian.org, team@security.debian.org
Subject: Re: phpMyAdmin security vulnerabilities for sarge
Date: Mon, 7 Aug 2006 20:48:12 +0200
On Thu, Aug 03, 2006 at 01:22:37PM +0200, Thijs Kinkhorst wrote:
> close 360726 4:2.6.2-3sarge1
> thanks
> 
> Hello All,
> 
> I've checked out all open CVE's with respect to sarge. All are already
> fixed in sid. I've prepared a package that fixes the ones that are
> relevant. See the breakdown here:

Thanks a lot for your work.

> I've prepared an updated package, it can be found here:
> http://www.a-eskwadraat.nl/~kink/debian/
> 
> Please let me know if it's ok and I'll upload it to the security
> archive.

Please
- drop all po i18n updates
- fix indendation of the phpmyadmin-2.6.2/libraries/header_http.inc.php changes
  for CVE-2005-3621
- raise the version number to sarge3, we have an unsuitable sarge2 in the
  security queue (you couldn't know that and I forgot to tell you in advance,
  sorry)

The security fixes look all good.

Cheers,
        Moritz






Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 08:12:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:42:34 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.