| Summary: | phpmyadmin new security issue CVE-2014-7217 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | oe, patr_and, rverschelde, sysadmin-bugs, wrw105 |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/614817/ | ||
| Whiteboard: | MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory | ||
| Source RPM: | phpmyadmin-4.1.14.4-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-10-01 17:24:12 CEST
David Walser
2014-10-01 17:24:31 CEST
Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Tested mga4 64 Created user and database, set up table and entered a data point checked table and data point, removed user and database. All behaved as expected. CC:
(none) =>
wrw105 Testing complete mga3 64 Similar to Bill. The update caused httpd segfaults until httpd was restarted rather than the reload it gets when updating. We've seen this before IINM and decided there was nothing we could do about it. Whiteboard:
MGA3TOO has_procedure mga4-64-ok =>
MGA3TOO has_procedure mga3-64-ok mga4-64-ok Nothing we can do unless we can figure out what's causing it and fix that. For instance, having php-opcache enabled will cause this issue, but there's isn't a fix for it yet, so you just have to disable it. I'm not specifically aware of other causes for this issue, but it's possible there's another one. More detailed procedure:
========================
To use phpMyAdmin you need to have mariadb installed and to know the MySQL root password (not that it differs from your Mageia root password). If you don't have mariadb installed and configured, go to (A). If you don't remember the MySQL root password, go to (B). If you're fine, go to (C).
(A) Installing MySQL
0. If you decided to reinstall MySQL, uninstall mariadb and delete /var/lib/mysql and /etc/my.cfg
1. Install mariadb
2. Run the mysqld service with:
# systemctl start mysqld
3. Define a MySQL root password with:
# mysqladmin password
4. Go to (C) to test phpMyAdmin
(B) Reset MySQL root password
1. Stop the mysql service:
# systemctl stop mysqld
2. Start MySQL without password authentication:
# mysqld_safe --skip-grant-tables &
3. Connect to the MySQL server as root user:
# mysql -u root mysql
4. Run the following commands with your chosen password instead of "MyNewPass".
Note that mysql> is just the MySQL prompt, you should not type it.
mysql> use mysql;
mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> exit
5. Stop the safe-mode MySQL and start the normal one again
# mysqladmin shutdown
# systemctl start mysqld
4. Go to (C) to test phpMyAdmin
(C) Testing phpMyAdmin
1. Install phpmyadmin
2. Browse to http://localhost/phpmyadmin
3. Log in as MySQL root user with your now known password
4. Create a user: in the banner menu click "Users" and then "Add a user"
Set the username and password, and tick the box to create a database
named like the user on which the user has all privileges
5. In the left hand-side menu, click on your new database, and create a table.
6. Delete the user and the associated database
7. Log out
(In reply to Oden Eriksson from comment #5) > http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php Thanks Oden. It's about time they posted it. I kept checking for it. Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.1.14.4, with a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages (CVE-2014-7217). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7217 http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php Summary:
phpmyadmin new security issues fixed in 4.1.14.5 =>
phpmyadmin new security issue CVE-2014-7217 Test with phpmyadmin 4.1.14.5-1.mga4 Create a user, a table, delete, all OK. CC:
(none) =>
patr_and
Patrice ANDREANI
2014-10-03 16:14:05 CEST
Whiteboard:
MGA3TOO has_procedure mga3-64-ok mga4-64-ok =>
MGA3TOO has_procedure mga3-64-ok mga4-64-ok MGA4-32-OK Actually I did not realise but I tested mga3 32bit when writing the procedure :-P CC:
(none) =>
remi
David Walser
2014-10-03 18:56:52 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/614817/ @David: Should I ask the lwn.net link to the advisory? Keywords:
(none) =>
validated_update (In reply to Rémi Verschelde from comment #11) > @David: Should I ask the lwn.net link to the advisory? No. Of course I meant "should I add" but I see you understood :-) Validated. I couldn't upload the advisory yet because mgaadv is broken on cauldron :-/ Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK Actually I copied and edited another advisory. Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0402.html Status:
NEW =>
RESOLVED |