Bug 22263

Summary: phpmyadmin new security issue PMASA-2017-9 (CVE-2017-1000499)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: M6-64-OK
Source RPM: phpmyadmin-4.7.1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-12-24 18:27:46 CET 
Upstream has issued an advisory on December 20:
https://www.phpmyadmin.net/security/PMASA-2017-9/

phpMyAdmin 4.7.7 has been released on December 23, fixing this issue:
https://www.phpmyadmin.net/news/2017/12/23/phpmyadmin-477-released/

A CVE has not yet been issued.

Updated packages uploaded for Mageia 6 and Cauldron.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

Due to an XSRF/CSRF vulnerability in phpMyAdmin before 4.7.7, by deceiving a
user to click on a crafted URL, it is possible to perform harmful database
operations such as deleting records, dropping/truncating tables etc
(PMASA-2017-9).

The phpmyadmin package has been updated to version 4.7.7 to fix this issue
and other bugs.

Note that phpMyAdmin 4.4.x in Mageia 5 is no longer supported.  Users of the
phpmyadmin package should upgrade to Mageia 6.

References:
https://www.phpmyadmin.net/security/PMASA-2017-9/
https://www.phpmyadmin.net/files/4.7.2/
https://www.phpmyadmin.net/files/4.7.3/
https://www.phpmyadmin.net/files/4.7.4/
https://www.phpmyadmin.net/files/4.7.5/
https://www.phpmyadmin.net/files/4.7.6/
https://www.phpmyadmin.net/files/4.7.7/
https://www.phpmyadmin.net/news/2017/12/23/phpmyadmin-477-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.7-1.mga6

from phpmyadmin-4.7.7-1.mga6.src.rpm
Comment 1 David Walser 2017-12-24 18:28:02 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Keywords: (none) => has_procedure

Comment 2 Lewis Smith 2017-12-24 20:18:23 CET 
The test procedures noted above basically say:
 Create a user, database, table(s) etc.
 Delete same.

Advisory uploaded, no CVE - as noted.
Was going to test this, but the update is not yet visible.

Keywords: (none) => advisory

Comment 3 Lewis Smith 2017-12-26 11:27:02 CET 
Trying M6/64: phpmyadmin-4.7.7-1.mga6 with: mariadb-10.1.29-2.mga6

This should be easy! But I *cannot* get past the user password rules when creating a new user, either with phpMyAdmin:
 " #1819 - Your password does not satisfy the current policy requirements"

nor from the comand line (so the problem is NOT phpMyAdmin related):
 $ mysql -u root -p
Enter password: 
...
MariaDB [(none)]> CREATE USER 'testuser'@'%' IDENTIFIED BY '123Password-_';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements

The 'policy requirements' are: "When first installed, a password is required to be at least eight characters, and requires at least one digit, one uppercase character, one lowercase character, and one character that is neither a digit nor a letter."
This is for "simple_password_check is a password validation plugin. It can check whether a password contains at least a certain number of characters of a specific type."
Flushing privilages between attempts changed nothing.
----------------------------------------------------
Testing M6/64

Logging in as root, I deleted existing tables, then their host database.
I then created a new database, one table with 4 different colmumns, the first UNIQUE, then tried making that the PRIMARY key. I added 4 rows (two of which necessitated editing the proposed SQL) whose contents I was able to edit. Deleted individually a couple of rows, then the table, then the database.

By-passing the User password problem, this is good for OK.
Because this is 64-bit M6 only, validating it also.

Keywords: (none) => validated_update
Whiteboard: (none) => M6-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 4 Mageia Robot 2017-12-28 14:18:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0471.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2018-02-24 23:16:42 CET

Summary: phpmyadmin new security issue PMASA-2017-9 => phpmyadmin new security issue PMASA-2017-9 (CVE-2017-1000499)