Bug 10872 - phpmyadmin new security issues fixed in 4.0.4.2 and 3.5.8.2
: phpmyadmin new security issues fixed in 4.0.4.2 and 3.5.8.2
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/561441/
: MGA2TOO mga2-32-ok mga2-64-ok mga3-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-07-29 01:34 CEST by David Walser
Modified: 2014-05-08 18:05 CEST (History)
4 users (show)

See Also:
Source RPM: phpmyadmin-4.0.4.1-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Comment 1 Oden Eriksson 2013-07-29 08:57:53 CEST
phpmyadmin-3.5.8.2-1.mga* has been submitted to core/updates_testing for mga2, mga3 and phpmyadmin-4.0.4.2-1.mga4 has been submitted to cauldron.
Comment 2 David Walser 2013-07-29 12:39:37 CEST
Thanks Oden!

Assigning to QA.  Advisory to come.
Comment 3 David Walser 2013-07-29 14:15:39 CEST
No CVEs are noted on the upstream advisories.  Perhaps they'll be added later.  We can update this if so.

Advisory:
========================

Updated phpmyadmin packages fix security vulnerabilities:

Using a crafted SQL query, it was possible to produce an XSS on the SQL query
form (PMASA-2013-8).

In the setup/index.php, using a crafted # hash with a Javascript event,
untrusted JS code could be executed. In the Display chart view, a chart title
containing HTML code was rendered unescaped, leading to possible JavaScript
code execution via events. A malicious user with permission to create
databases or users having HTML tags in their name, could trigger an XSS
vulnerability by issuing a sleep query with a long delay. In the server
status monitor, the query parameters were shown unescaped. By configuring a
malicious URL for the phpMyAdmin logo link in the navigation sidebar,
untrusted script code could be executed when a user clicked the logo.
The setup field for "List of trusted proxies for IP allow/deny" Ajax
validation code returned the unescaped input on errors, leading to possible
JavaScript execution by entering arbitrary HTML (PMASA-2013-9).

Due to not properly validating the version.json file, which is fetched from
the phpMyAdmin.net website, could lead to an XSS attack, if a crafted
version.json file would be presented (PMASA-2013-11).

By calling some scripts that are part of phpMyAdmin in an unexpected way, it
is possible to trigger phpMyAdmin to display a PHP error message which
contains the full path of the directory where phpMyAdmin is installed
(PMASA-2013-12).

When calling schema_export.php with crafted parameters, it is possible to
trigger an XSS (PMASA-2013-14).

Due to a missing validation of parameters passed to schema_export.php and
pmd_pdf.php, it was possible to inject SQL statements that would run with the
privileges of the control user. This gives read and write access to the
tables of the configuration storage database, and if the control user has the
necessary privileges, read access to some tables of the mysql database
(PMASA-2013-15).

References:
http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.8.2-1.mga2
phpmyadmin-3.5.8.2-1.mga3

from SRPMS:
phpmyadmin-3.5.8.2-1.mga2.src.rpm
phpmyadmin-3.5.8.2-1.mga3.src.rpm
Comment 4 claire robinson 2013-07-29 14:18:44 CEST
Testing complete mga2 64 & 32

From previous updates phpmyadmin appears to be the only rpm. Just testing it works.
Comment 5 claire robinson 2013-07-29 14:19:46 CEST
Mid air collision :)
Comment 6 claire robinson 2013-07-29 14:43:43 CEST
Testing complete mga3 64

Advisory uploaded.
Comment 7 claire robinson 2013-07-29 14:56:18 CEST
Testing complete mga3 32

Validating. Advisory from comment 3 on svn.

Could sysadmin please push from 2 & 3 core/updates_testing to core/updates

Thanks!
Comment 8 Thomas Backlund 2013-07-29 16:06:51 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0238.html
Comment 9 Oden Eriksson 2013-07-30 10:28:50 CEST
http://www.openwall.com/lists/oss-security/2013/07/30/1

">* http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php

Use CVE-2013-4995.

As far as we can tell, this should be the only CVE needed for
PMASA-2013-8; however, this link gives us a 404 error:

  "The following commits have been made on the 3.5 branch to
  fix this issue: 51f343b91908d1b1bacaebe6db87c3d7aa522581"


>* http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php
>* http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php

Use CVE-2013-4996 for the PMASA-2013-9 XSS issues that affect both
3.5.x and 4.0.x, and for the PMASA-2013-11 XSS issue.

Use CVE-2013-4997 for the PMASA-2013-9 XSS issues that affect only
3.5.x. (We think this may be the first two issues, but the CVE is
assigned on the basis of affected versions, not the vulnerability
details.)

(We didn't notice any XSS issues that affected only 4.0.x.)


>* http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php

Use CVE-2013-4998 for the path-disclosure issues affecting both 3.5.x
and 4.0.x (approximately three affected files).

Use CVE-2013-4999 for the path-disclosure issues affecting only
version 4.0.x (approximately two affected files).

Use CVE-2013-5000 for the path-disclosure issues affecting only
version 3.5.x (several affected files).


>* http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php

Use CVE-2013-5001.


>* http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php

Use CVE-2013-5002.


>* http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php

Use CVE-2013-5003."
Comment 10 David Walser 2013-07-30 16:03:08 CEST
Here's Mandriva's advisory using the CVEs:
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:203/
Comment 11 claire robinson 2013-07-30 17:57:24 CEST
Advisory updated, thankyou. Could you check it please..
http://svnweb.mageia.org/advisories/10872.adv?view=markup
Comment 12 claire robinson 2013-07-30 18:00:18 CEST
Missed CVE-2013-4997, added now.
Comment 13 David Walser 2013-07-30 18:27:19 CEST
Thanks Claire, it looks correct to me.  You can actually just take out the PMASAs in the advisory text itself and replace them with the CVEs you added there.  We should also add the CVE links to the References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4998
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5003

It looks like Oden missed CVE-2013-4997 in the MDV advisory too, I wonder if there's a reason for that.

You could just replace all of the advisory text with what MDV used, since ours is a bit verbose at the moment.  It looks like CVE-2013-4997 would go with CVE-2013-4996.
Comment 14 claire robinson 2013-07-30 18:51:21 CEST
The CVE links are added automatically when it is pushed. I'm not sure whether it needs manual intervention to regenerate it once it has been pushed. Maybe Thomas or Nicolas could answer.

Are you able to access this part of svn David, if not then we should get you added to QA group or extend it the sec group aswell maybe.
Comment 15 Oden Eriksson 2013-07-30 20:38:49 CEST
======================================================
Name: CVE-2013-4995
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4995
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php

Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before
3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to
inject arbitrary web script or HTML via a crafted SQL query that is
not properly handled during the display of row information.



======================================================
Name: CVE-2013-4996
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4996
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers
to inject arbitrary web script or HTML via vectors involving (1) a
crafted database name, (2) a crafted user name, (3) a crafted logo URL
in the navigation panel, (4) a crafted entry in a certain proxy list,
or (5) crafted content in a version.json file.



======================================================
Name: CVE-2013-4997
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4997
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web
script or HTML via vectors involving a JavaScript event in (1) an
anchor identifier to setup/index.php or (2) a chartTitle (aka chart
title) value.



======================================================
Name: CVE-2013-4998
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4998
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php

phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote
attackers to obtain sensitive information via an invalid request,
which reveals the installation path in an error message, related to
pmd_common.php and other files.



======================================================
Name: CVE-2013-4999
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4999
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php

phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain
sensitive information via an invalid request, which reveals the
installation path in an error message, related to Error.class.php and
Error_Handler.class.php.



======================================================
Name: CVE-2013-5000
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5000
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php

phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain
sensitive information via an invalid request, which reveals the
installation path in an error message, related to config.default.php
and other files.



======================================================
Name: CVE-2013-5001
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5001
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php

Cross-site scripting (XSS) vulnerability in
libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php
in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users
to inject arbitrary web script or HTML via a crafted object name
associated with a TextLinkTransformationPlugin link.



======================================================
Name: CVE-2013-5002
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5002
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php

Cross-site scripting (XSS) vulnerability in
libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x
before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated
users to inject arbitrary web script or HTML via a crafted pageNumber
value to schema_export.php.



======================================================
Name: CVE-2013-5003
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5003
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130729
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php

Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before
3.5.8.2 and 4.0.x before 4.0.4.2 allow remote authenticated users to
execute arbitrary SQL commands via (1) the scale parameter to
pmd_pdf.php or (2) the pdf_page_number parameter to schema_export.php.
Comment 16 Oden Eriksson 2013-07-30 20:39:32 CEST
(In reply to David Walser from comment #13)

> It looks like Oden missed CVE-2013-4997 in the MDV advisory too, I wonder if
> there's a reason for that.

I missed that one. Will fix soon'ish.
Comment 17 Nicolas Vigier 2013-07-30 22:51:34 CEST
(In reply to claire robinson from comment #14)
> The CVE links are added automatically when it is pushed. I'm not sure
> whether it needs manual intervention to regenerate it once it has been
> pushed. Maybe Thomas or Nicolas could answer.

Yes, it is regenerated every 10 minutes.

> 
> Are you able to access this part of svn David, if not then we should get you
> added to QA group or extend it the sec group aswell maybe.

All packagers can commit to the advisories svn repository too.

Note You need to log in before you can comment on or make changes to this bug.