Ubuntu
phpmyadmin package

[phpmyadmin] [PMASA-2008-1] SQL injection vulnerability (Delayed Cross Site Request Forgery)

Bug #198745 reported by disabled.user on 2008-03-05

256

	Status	Importance	Assigned to
phpmyadmin (Ubuntu)	Fix Released	High	Emanuele Gentili
Dapper	Fix Released	High	Emanuele Gentili
Edgy	Fix Released	High	Emanuele Gentili
Feisty	Fix Released	High	Emanuele Gentili
Gutsy	Fix Released	High	Emanuele Gentili
Hardy	Fix Released	High	Emanuele Gentili

Bug Description

Binary package hint: phpmyadmin

References:
PMASA-2008-1 (http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1)

Quoting:
"Description:
We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data.

Severity:
We consider this vulnerability to be serious.

Mitigation factor:
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.

Affected versions:
Versions before 2.11.5.

Solution:
Upgrade to phpMyAdmin 2.11.5 or newer, where $_REQUEST is rebuilt to not contain cookies."

Related branches

lp:debian/squeeze/phpmyadmin

lp:ubuntu/dapper-security/phpmyadmin

lp:ubuntu/edgy-security/phpmyadmin

lp:ubuntu/feisty-security/phpmyadmin

lp:ubuntu/gutsy-security/phpmyadmin

CVE References

2008-1149

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-05:

hardy_phpmyadmin_2.11.3-1ubuntu1.debdiff Edit (2.3 KiB, text/plain)

Changed in phpmyadmin:
assignee:	nobody → emgent
importance:	Undecided → High

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-05:

gutsy_phpmyadmin_2.10.3-1ubuntu0.2.debdiff Edit (2.4 KiB, text/plain)

Changed in phpmyadmin:
assignee:	nobody → emgent
importance:	Undecided → High
status:	New → Fix Committed
assignee:	nobody → emgent
importance:	Undecided → High
assignee:	nobody → emgent
importance:	Undecided → High
assignee:	nobody → emgent
importance:	Undecided → High

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-05:

This bug was fixed in the package phpmyadmin - 4:2.11.3-1ubuntu1

---------------
phpmyadmin (4:2.11.3-1ubuntu1) hardy; urgency=low

  * SECURITY UPDATE:
   + debian/patches/050_CVE-2008-1149.dpatch
    - Provides unauthorized access, Allows partial confidentiality, integrity, and
      availability violation , Allows unauthorized disclosure of information ,
      Allows disruption of service. (LP: #198745)
  * References:
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
   + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
  * debian/control:
   + updated maintainer field

-- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 20:17:28 +0100

Changed in phpmyadmin:
status:	Fix Committed → Fix Released

Emanuele Gentili (emgent) on 2008-03-05

Changed in phpmyadmin:
assignee:	emgent → nobody
assignee:	emgent → nobody
assignee:	emgent → nobody

Emanuele Gentili (emgent) on 2008-03-05

Changed in phpmyadmin:
status:	New → In Progress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-05:

another big thanks to hk47

Revision history for this message

Kees Cook (kees) wrote on 2008-03-05:

Thanks! Gutsy is being built and uploaded now.

Changed in phpmyadmin:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-06:

This bug was fixed in the package phpmyadmin - 4:2.10.3-1ubuntu0.2

---------------
phpmyadmin (4:2.10.3-1ubuntu0.2) gutsy-security; urgency=low

  * References:
   + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
   + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

-- Emanuele Gentili <email address hidden> Wed, 05 Mar 2008 20:38:57 +0100

Changed in phpmyadmin:
status:	Fix Committed → Fix Released

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

feisty_phpmyadmin_2.9.1.1-2ubuntu1.2.debdiff Edit (2.1 KiB, text/plain)

Changed in phpmyadmin:
assignee:	nobody → emgent
status:	New → In Progress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

edgy_phpmyadmin_2.8.2-0.2ubuntu0.1.debdiff Edit (2.0 KiB, text/plain)

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-11:

dapper_phpmyadmin_2.8.2-0.2ubuntu0.1.debdiff Edit (2.0 KiB, text/plain)

Changed in phpmyadmin:
assignee:	nobody → emgent
status:	New → In Progress
assignee:	nobody → emgent
status:	New → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2008-03-14:

#10

The dapper attachment seems to be against edgy?

Revision history for this message

Kees Cook (kees) wrote on 2008-03-14:

#11

The feisty build is missing an Ubuntu maintainer in the debian/control file.

Changed in phpmyadmin:
status:	In Progress → Incomplete
status:	In Progress → Incomplete

Revision history for this message

Kees Cook (kees) wrote on 2008-03-14:

#12

Edgy uploaded, thanks! It should be published shortly.

Changed in phpmyadmin:
status:	In Progress → Fix Committed

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-14:

#13

yada rebuild control by default, i will work to it.

Changed in phpmyadmin:
status:	Incomplete → Confirmed
status:	Incomplete → Confirmed

Revision history for this message

Kees Cook (kees) wrote on 2008-03-14:

#14

Feisty uploaded. (meh, yada)

Changed in phpmyadmin:
status:	Confirmed → Fix Committed

Emanuele Gentili (emgent) on 2008-03-14

Changed in phpmyadmin:
status:	Confirmed → In Progress

Revision history for this message

Emanuele Gentili (emgent) wrote on 2008-03-14:

#15

dapper_phpmyadmin_2.8.0.3-1ubuntu0.1.debdiff Edit (2.0 KiB, text/plain)

sorry for delay.

Revision history for this message

Kees Cook (kees) wrote on 2008-03-14:

#16

Looks great, I've uploaded dapper now.

Changed in phpmyadmin:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-03-14:

#17

This bug was fixed in the package phpmyadmin - 4:2.9.1.1-2ubuntu1.2

---------------
phpmyadmin (4:2.9.1.1-2ubuntu1.2) feisty-security; urgency=low

-- Emanuele Gentili <email address hidden> Tue, 11 Mar 2008 06:03:46 +0100

Changed in phpmyadmin:
status:	Fix Committed → Fix Released

Emanuele Gentili (emgent) on 2008-03-15

Changed in phpmyadmin:
status:	Fix Committed → Fix Released
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuphpmyadmin package

[phpmyadmin] [PMASA-2008-1] SQL injection vulnerability (Delayed Cross Site Request Forgery)

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
phpmyadmin package