Bug 14208 - phpmyadmin new security issue CVE-2014-7217
Summary: phpmyadmin new security issue CVE-2014-7217
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/614817/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-10-01 17:24 CEST by David Walser
Modified: 2014-10-07 11:23 CEST (History)
5 users (show)

See Also:
Source RPM: phpmyadmin-4.1.14.4-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-10-01 17:24:12 CEST
Upstream has released version 4.1.14.5 today (October 1) fixing security issues:
http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_4.0.10.4__4.1.14.5_and_4.2.9.1_are_released

Details are not available yet.

Updated packages uploaded for Mageia 3 and Mageia 4.

Freeze push requested for 4.2.9.1 for Cauldron.

Updated packages in core/updates_testing:
========================
phpmyadmin-4.1.14.5-1.mga3
phpmyadmin-4.1.14.5-1.mga4

from SRPMS:
phpmyadmin-4.1.14.5-1.mga3.src.rpm
phpmyadmin-4.1.14.5-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-10-01 17:24:22 CEST
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7

Whiteboard: (none) => MGA3TOO

David Walser 2014-10-01 17:24:31 CEST

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 Bill Wilkinson 2014-10-02 14:22:46 CEST
Tested mga4 64

Created user and database, set up table and entered a data point checked table and data point, removed user and database.  All behaved as expected.

CC: (none) => wrw105
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 3 claire robinson 2014-10-02 16:00:54 CEST
Testing complete mga3 64

Similar to Bill. The update caused httpd segfaults until httpd was restarted rather than the reload it gets when updating. We've seen this before IINM and decided there was nothing we could do about it.

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok

Comment 4 David Walser 2014-10-02 17:31:03 CEST
Nothing we can do unless we can figure out what's causing it and fix that.  For instance, having php-opcache enabled will cause this issue, but there's isn't a fix for it yet, so you just have to disable it.  I'm not specifically aware of other causes for this issue, but it's possible there's another one.
Comment 5 Oden Eriksson 2014-10-03 10:05:09 CEST
http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php

CC: (none) => oe

Comment 6 Rémi Verschelde 2014-10-03 10:18:32 CEST
More detailed procedure:
========================

To use phpMyAdmin you need to have mariadb installed and to know the MySQL root password (not that it differs from your Mageia root password). If you don't have mariadb installed and configured, go to (A). If you don't remember the MySQL root password, go to (B). If you're fine, go to (C).


(A) Installing MySQL
0. If you decided to reinstall MySQL, uninstall mariadb and delete /var/lib/mysql and /etc/my.cfg
1. Install mariadb
2. Run the mysqld service with:
   # systemctl start mysqld
3. Define a MySQL root password with:
   # mysqladmin password
4. Go to (C) to test phpMyAdmin


(B) Reset MySQL root password
1. Stop the mysql service:
   # systemctl stop mysqld
2. Start MySQL without password authentication:
   # mysqld_safe --skip-grant-tables &
3. Connect to the MySQL server as root user:
   # mysql -u root mysql
4. Run the following commands with your chosen password instead of "MyNewPass".
   Note that mysql> is just the MySQL prompt, you should not type it.
   mysql> use mysql;
   mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
   mysql> FLUSH PRIVILEGES;
   mysql> exit
5. Stop the safe-mode MySQL and start the normal one again
   # mysqladmin shutdown
   # systemctl start mysqld
4. Go to (C) to test phpMyAdmin


(C) Testing phpMyAdmin
1. Install phpmyadmin
2. Browse to http://localhost/phpmyadmin
3. Log in as MySQL root user with your now known password
4. Create a user: in the banner menu click "Users" and then "Add a user"
   Set the username and password, and tick the box to create a database
   named like the user on which the user has all privileges
5. In the left hand-side menu, click on your new database, and create a table.
6. Delete the user and the associated database
7. Log out
Comment 7 David Walser 2014-10-03 14:33:36 CEST
(In reply to Oden Eriksson from comment #5)
> http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php

Thanks Oden.  It's about time they posted it.  I kept checking for it.
Comment 8 David Walser 2014-10-03 14:36:49 CEST
Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

In phpMyAdmin before 4.1.14.4, with a crafted ENUM value it is possible to
trigger an XSS in table search and table structure pages (CVE-2014-7217).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7217
http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php

Summary: phpmyadmin new security issues fixed in 4.1.14.5 => phpmyadmin new security issue CVE-2014-7217

Comment 9 Patrice ANDREANI 2014-10-03 16:13:42 CEST
Test with phpmyadmin 4.1.14.5-1.mga4
Create a user, a table, delete, all OK.

CC: (none) => patr_and

Patrice ANDREANI 2014-10-03 16:14:05 CEST

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok MGA4-32-OK

Comment 10 Rémi Verschelde 2014-10-03 18:56:12 CEST
Actually I did not realise but I tested mga3 32bit when writing the procedure :-P

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK

David Walser 2014-10-03 18:56:52 CEST

URL: (none) => http://lwn.net/Vulnerabilities/614817/

Comment 11 Rémi Verschelde 2014-10-03 19:00:49 CEST
@David: Should I ask the lwn.net link to the advisory?

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 12 David Walser 2014-10-03 19:02:53 CEST
(In reply to Rémi Verschelde from comment #11)
> @David: Should I ask the lwn.net link to the advisory?

No.
Comment 13 Rémi Verschelde 2014-10-03 19:56:33 CEST
Of course I meant "should I add" but I see you understood :-)
Comment 14 Rémi Verschelde 2014-10-03 19:58:40 CEST
Validated. I couldn't upload the advisory yet because mgaadv is broken on cauldron :-/

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK

Comment 15 Rémi Verschelde 2014-10-03 20:01:40 CEST
Actually I copied and edited another advisory.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory

Comment 16 Mageia Robot 2014-10-07 11:23:42 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0402.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.