Bug 9755

Summary: phpmyadmin - Reflected XSS in phpMyAdmin 3.5.7 (CVE-2013-1937)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lists.jjorge, luigiwalser, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/547524/
Whiteboard: has_procedure mga2-64-ok mga3-32-ok
Source RPM: phpmyadmin-3.5.3-2.1.mga2.src.rpm CVE:
Status comment:

Description Oden Eriksson 2013-04-16 16:11:15 CEST 
Name: CVE-2013-1937
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1937
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: FULLDISC:20130409 [waraxe-2013-SA#102] - Reflected XSS in phpMyAdmin
3.5.7
Reference:
URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-04/0101.html
Reference: MLIST:[oss-security] 20130409 Re: CVE Request: Self-XSS in
phpmyadmin fixed in 3.5.8
Reference: URL:http://openwall.com/lists/oss-security/2013/04/09/13
Reference:
MISC:http://packetstormsecurity.com/files/121205/phpMyAdmin-3.5.7-Cross-Site-Scripting.html
Reference: MISC:http://www.waraxe.us/advisory-102.html
Reference:
CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a

Multiple cross-site scripting (XSS) vulnerabilities in
tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow
remote attackers to inject arbitrary web script or HTML via the (1)
visualizationSettings[width] or (2) visualizationSettings[height]
parameter.


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-04-16 16:13:11 CEST 
phpmyadmin-3.5.8-0.1.mga2.src.rpm has been put in mga2 core/updates_testing.
The same version would have to be pushed in cauldron.

Packages for MBS1 has been tested and pushed:

http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:144/
Comment 2 David Walser 2013-04-16 16:47:59 CEST 
It has not been committed in Cauldron SVN yet, so assigning the maintainer.

The Mageia 2 update candidate should use release tag 1 with no subrel.

CC: (none) => luigiwalser
Assignee: bugsquad => lists.jjorge

Comment 3 José Jorge 2013-04-16 18:35:00 CEST 
Thanks, it is in cauldron now.
Comment 4 David Walser 2013-04-16 20:03:32 CEST 
Thanks José.  Now the release tag needs fixed for the Mageia 2 update.

Summary: CVE-2013-1937: phpmyadmin - Reflected XSS in phpMyAdmin 3.5.7 => phpmyadmin - Reflected XSS in phpMyAdmin 3.5.7 (CVE-2013-1937)

Comment 5 David Walser 2013-04-17 16:49:58 CEST 
Updated package uploaded for Mageia 2 by Oden.  Thanks Oden.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in
tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow
remote attackers to inject arbitrary web script or HTML via the (1)
visualizationSettings[width] or (2) visualizationSettings[height]
parameter (CVE-2013-1937).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1937
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:144/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.8-1.mga2

from phpmyadmin-3.5.8-1.mga2.src.rpm

CC: (none) => lists.jjorge
Assignee: lists.jjorge => qa-bugs

Comment 6 claire robinson 2013-04-17 17:23:16 CEST 
PoC's: From http://www.waraxe.us/advisory-102.html

Tests (parameters "db" and "token" must be valid):

http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&
token=17961b7ab247b6d2b39d730bf336cebb&
visualizationSettings[width]="><script>alert(123);</script>

http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&
token=17961b7ab247b6d2b39d730bf336cebb
&visualizationSettings[height]="><script>alert(123);</script>


Result: javascript alert box pops up, confirming Reflected XSS vulnerability.
Comment 7 claire robinson 2013-04-17 17:36:21 CEST 
Testing complete mga2 64

Confirmed PoC

http://localhost/phpmyadmin/tbl_gis_visualization.php?db=information_schema&token=17961b7ab247b6d2b39d730bf336cebb&visualizationSettings[width]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

changing the token=....& to whatever the token is set to in the url once logged in to phpmyadmin.

Confirmed fixed after update.

Whiteboard: (none) => has_procedure mga2-64-ok

David Walser 2013-04-17 20:26:44 CEST

URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1937 => http://lwn.net/Vulnerabilities/547524/

Comment 8 claire robinson 2013-04-17 21:11:09 CEST 
Testing complete mga2 32

Validating

Advisory and srpm in comment 5

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2013-04-18 00:32:57 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0122

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED