Upstream has issued several new advisories today (July 28): http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php These issues are fixed in 3.5.8.2 and 4.0.4.2: http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.5.8.2_and_4.0.4.2_are_released Reproducible: Steps to Reproduce:
CC: (none) => oeWhiteboard: (none) => MGA3TOO, MGA2TOO
phpmyadmin-3.5.8.2-1.mga* has been submitted to core/updates_testing for mga2, mga3 and phpmyadmin-4.0.4.2-1.mga4 has been submitted to cauldron.
Thanks Oden! Assigning to QA. Advisory to come.
CC: (none) => lists.jjorgeVersion: Cauldron => 3Assignee: lists.jjorge => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
No CVEs are noted on the upstream advisories. Perhaps they'll be added later. We can update this if so. Advisory: ======================== Updated phpmyadmin packages fix security vulnerabilities: Using a crafted SQL query, it was possible to produce an XSS on the SQL query form (PMASA-2013-8). In the setup/index.php, using a crafted # hash with a Javascript event, untrusted JS code could be executed. In the Display chart view, a chart title containing HTML code was rendered unescaped, leading to possible JavaScript code execution via events. A malicious user with permission to create databases or users having HTML tags in their name, could trigger an XSS vulnerability by issuing a sleep query with a long delay. In the server status monitor, the query parameters were shown unescaped. By configuring a malicious URL for the phpMyAdmin logo link in the navigation sidebar, untrusted script code could be executed when a user clicked the logo. The setup field for "List of trusted proxies for IP allow/deny" Ajax validation code returned the unescaped input on errors, leading to possible JavaScript execution by entering arbitrary HTML (PMASA-2013-9). Due to not properly validating the version.json file, which is fetched from the phpMyAdmin.net website, could lead to an XSS attack, if a crafted version.json file would be presented (PMASA-2013-11). By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed (PMASA-2013-12). When calling schema_export.php with crafted parameters, it is possible to trigger an XSS (PMASA-2013-14). Due to a missing validation of parameters passed to schema_export.php and pmd_pdf.php, it was possible to inject SQL statements that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database (PMASA-2013-15). References: http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.5.8.2-1.mga2 phpmyadmin-3.5.8.2-1.mga3 from SRPMS: phpmyadmin-3.5.8.2-1.mga2.src.rpm phpmyadmin-3.5.8.2-1.mga3.src.rpm
Testing complete mga2 64 & 32 From previous updates phpmyadmin appears to be the only rpm. Just testing it works.
Mid air collision :)
Whiteboard: MGA2TOO => MGA2TOO mga2-32-ok mga2-64-ok
Testing complete mga3 64 Advisory uploaded.
Whiteboard: MGA2TOO mga2-32-ok mga2-64-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-64-ok
Testing complete mga3 32 Validating. Advisory from comment 3 on svn. Could sysadmin please push from 2 & 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO mga2-32-ok mga2-64-ok mga3-64-ok => MGA2TOO mga2-32-ok mga2-64-ok mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0238.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/561315/
http://www.openwall.com/lists/oss-security/2013/07/30/1 ">* http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php Use CVE-2013-4995. As far as we can tell, this should be the only CVE needed for PMASA-2013-8; however, this link gives us a 404 error: "The following commits have been made on the 3.5 branch to fix this issue: 51f343b91908d1b1bacaebe6db87c3d7aa522581" >* http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php >* http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php Use CVE-2013-4996 for the PMASA-2013-9 XSS issues that affect both 3.5.x and 4.0.x, and for the PMASA-2013-11 XSS issue. Use CVE-2013-4997 for the PMASA-2013-9 XSS issues that affect only 3.5.x. (We think this may be the first two issues, but the CVE is assigned on the basis of affected versions, not the vulnerability details.) (We didn't notice any XSS issues that affected only 4.0.x.) >* http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php Use CVE-2013-4998 for the path-disclosure issues affecting both 3.5.x and 4.0.x (approximately three affected files). Use CVE-2013-4999 for the path-disclosure issues affecting only version 4.0.x (approximately two affected files). Use CVE-2013-5000 for the path-disclosure issues affecting only version 3.5.x (several affected files). >* http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php Use CVE-2013-5001. >* http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php Use CVE-2013-5002. >* http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php Use CVE-2013-5003."
Here's Mandriva's advisory using the CVEs: http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:203/
Advisory updated, thankyou. Could you check it please.. http://svnweb.mageia.org/advisories/10872.adv?view=markup
Missed CVE-2013-4997, added now.
Thanks Claire, it looks correct to me. You can actually just take out the PMASAs in the advisory text itself and replace them with the CVEs you added there. We should also add the CVE links to the References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4997 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4998 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5002 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5003 It looks like Oden missed CVE-2013-4997 in the MDV advisory too, I wonder if there's a reason for that. You could just replace all of the advisory text with what MDV used, since ours is a bit verbose at the moment. It looks like CVE-2013-4997 would go with CVE-2013-4996.
The CVE links are added automatically when it is pushed. I'm not sure whether it needs manual intervention to regenerate it once it has been pushed. Maybe Thomas or Nicolas could answer. Are you able to access this part of svn David, if not then we should get you added to QA group or extend it the sec group aswell maybe.
====================================================== Name: CVE-2013-4995 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4995 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted SQL query that is not properly handled during the display of row information. ====================================================== Name: CVE-2013-4996 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4996 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted database name, (2) a crafted user name, (3) a crafted logo URL in the navigation panel, (4) a crafted entry in a certain proxy list, or (5) crafted content in a version.json file. ====================================================== Name: CVE-2013-4997 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4997 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving a JavaScript event in (1) an anchor identifier to setup/index.php or (2) a chartTitle (aka chart title) value. ====================================================== Name: CVE-2013-4998 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4998 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to pmd_common.php and other files. ====================================================== Name: CVE-2013-4999 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4999 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to Error.class.php and Error_Handler.class.php. ====================================================== Name: CVE-2013-5000 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5000 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the installation path in an error message, related to config.default.php and other files. ====================================================== Name: CVE-2013-5001 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5001 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php Cross-site scripting (XSS) vulnerability in libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted object name associated with a TextLinkTransformationPlugin link. ====================================================== Name: CVE-2013-5002 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5002 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php Cross-site scripting (XSS) vulnerability in libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted pageNumber value to schema_export.php. ====================================================== Name: CVE-2013-5003 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5003 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130729 Category: Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote authenticated users to execute arbitrary SQL commands via (1) the scale parameter to pmd_pdf.php or (2) the pdf_page_number parameter to schema_export.php.
(In reply to David Walser from comment #13) > It looks like Oden missed CVE-2013-4997 in the MDV advisory too, I wonder if > there's a reason for that. I missed that one. Will fix soon'ish.
(In reply to claire robinson from comment #14) > The CVE links are added automatically when it is pushed. I'm not sure > whether it needs manual intervention to regenerate it once it has been > pushed. Maybe Thomas or Nicolas could answer. Yes, it is regenerated every 10 minutes. > > Are you able to access this part of svn David, if not then we should get you > added to QA group or extend it the sec group aswell maybe. All packagers can commit to the advisories svn repository too.
CC: (none) => boklm
URL: http://lwn.net/Vulnerabilities/561315/ => http://lwn.net/Vulnerabilities/561441/
CC: boklm => (none)