Bug 9755 - phpmyadmin - Reflected XSS in phpMyAdmin 3.5.7 (CVE-2013-1937)
: phpmyadmin - Reflected XSS in phpMyAdmin 3.5.7 (CVE-2013-1937)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/547524/
: has_procedure mga2-64-ok mga3-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-16 16:11 CEST by Oden Eriksson
Modified: 2013-04-18 00:32 CEST (History)
4 users (show)

See Also:
Source RPM: phpmyadmin-3.5.3-2.1.mga2.src.rpm
CVE:


Attachments

Description Oden Eriksson 2013-04-16 16:11:15 CEST
Name: CVE-2013-1937
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1937
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: FULLDISC:20130409 [waraxe-2013-SA#102] - Reflected XSS in phpMyAdmin
3.5.7
Reference:
URL:http://archives.neohapsis.com/archives/fulldisclosure/2013-04/0101.html
Reference: MLIST:[oss-security] 20130409 Re: CVE Request: Self-XSS in
phpmyadmin fixed in 3.5.8
Reference: URL:http://openwall.com/lists/oss-security/2013/04/09/13
Reference:
MISC:http://packetstormsecurity.com/files/121205/phpMyAdmin-3.5.7-Cross-Site-Scripting.html
Reference: MISC:http://www.waraxe.us/advisory-102.html
Reference:
CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/79089c9bc02c82c15419fd9d6496b8781ae08a5a

Multiple cross-site scripting (XSS) vulnerabilities in
tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow
remote attackers to inject arbitrary web script or HTML via the (1)
visualizationSettings[width] or (2) visualizationSettings[height]
parameter.


Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-04-16 16:13:11 CEST
phpmyadmin-3.5.8-0.1.mga2.src.rpm has been put in mga2 core/updates_testing.
The same version would have to be pushed in cauldron.

Packages for MBS1 has been tested and pushed:

http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:144/
Comment 2 David Walser 2013-04-16 16:47:59 CEST
It has not been committed in Cauldron SVN yet, so assigning the maintainer.

The Mageia 2 update candidate should use release tag 1 with no subrel.
Comment 3 José Jorge 2013-04-16 18:35:00 CEST
Thanks, it is in cauldron now.
Comment 4 David Walser 2013-04-16 20:03:32 CEST
Thanks José.  Now the release tag needs fixed for the Mageia 2 update.
Comment 5 David Walser 2013-04-17 16:49:58 CEST
Updated package uploaded for Mageia 2 by Oden.  Thanks Oden.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

Multiple cross-site scripting (XSS) vulnerabilities in
tbl_gis_visualization.php in phpMyAdmin 3.5.x before 3.5.8 might allow
remote attackers to inject arbitrary web script or HTML via the (1)
visualizationSettings[width] or (2) visualizationSettings[height]
parameter (CVE-2013-1937).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1937
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:144/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.8-1.mga2

from phpmyadmin-3.5.8-1.mga2.src.rpm
Comment 6 claire robinson 2013-04-17 17:23:16 CEST
PoC's: From http://www.waraxe.us/advisory-102.html

Tests (parameters "db" and "token" must be valid):

http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&
token=17961b7ab247b6d2b39d730bf336cebb&
visualizationSettings[width]="><script>alert(123);</script>

http://localhost/PMA/tbl_gis_visualization.php?db=information_schema&
token=17961b7ab247b6d2b39d730bf336cebb
&visualizationSettings[height]="><script>alert(123);</script>


Result: javascript alert box pops up, confirming Reflected XSS vulnerability.
Comment 7 claire robinson 2013-04-17 17:36:21 CEST
Testing complete mga2 64

Confirmed PoC

http://localhost/phpmyadmin/tbl_gis_visualization.php?db=information_schema&token=17961b7ab247b6d2b39d730bf336cebb&visualizationSettings[width]=%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

changing the token=....& to whatever the token is set to in the url once logged in to phpmyadmin.

Confirmed fixed after update.
Comment 8 claire robinson 2013-04-17 21:11:09 CEST
Testing complete mga2 32

Validating

Advisory and srpm in comment 5

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 9 Thomas Backlund 2013-04-18 00:32:57 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0122

Note You need to log in before you can comment on or make changes to this bug.