Ubuntu
phpmyadmin package

CVE-2009-1285: Insufficient output sanitizing when generating configuration file

Bug #392324 reported by Micah Gersten
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpmyadmin (Ubuntu)
Invalid
Medium
Unassigned
Jaunty
Fix Released
Medium
Marc Deslauriers
Karmic
Invalid
Medium
Unassigned

Bug Description

Binary package hint: phpmyadmin

http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php

Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch.

Revision history for this message
Micah Gersten (micahg) wrote :

Marking Critical per upstream priority

visibility: private → public
Changed in phpmyadmin (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Only Jaunty is affected. From upstream:
For 2.11.x: versions are not affected.
For 3.x: versions before 3.1.3.2.

Changed in phpmyadmin (Ubuntu Jaunty):
status: New → Confirmed
importance: Undecided → Medium
Changed in phpmyadmin (Ubuntu Karmic):
status: New → Invalid
importance: Critical → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking as Medium per https://wiki.ubuntu.com/SecurityTeam/BugTriage.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Updated packages were released.

Changed in phpmyadmin (Ubuntu Jaunty):
status: Confirmed → Fix Released
Revision history for this message
derRichard (richard-ubuntu) wrote :

This bug seems still exploitable.
A friend of mine has PhpMyAdmin-4:3.1.2-1ubuntu0.1 running on Ubuntu 9.04 and got hacked today.
After some time i found the exploit.
It used this issue to break in:
http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php

The security update for the issue contains only this patch:
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_3_1_3/phpMyAdmin/setup/lib/ConfigFile.class.php?r1=12248&r2=12301&pathrev=12342

But NOT:
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/setup/lib/ConfigFile.class.php?r1=12342&r2=12341&pathrev=12342

A review of this issue is needed.

Cheers,
//richard

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Confirmed. One of the patches is missing. I'll work on this.

Changed in phpmyadmin (Ubuntu Jaunty):
status: Fix Released → Triaged
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpmyadmin - 4:3.1.2-1ubuntu0.2

---------------
phpmyadmin (4:3.1.2-1ubuntu0.2) jaunty-security; urgency=low

  * SECURITY UPDATE: XSS via a crafted name for a MySQL table (LP: #450505)
    - debian/patches/046-security-CVE-2009-3696-3697.dpatch: filter special
      characters in db_operations.php and db_structure.php.
    - CVE-2009-3696
  * SECURITY UPDATE: SQL injection via PDF schema generator functionality
    (LP: #450505)
    - debian/patches/046-security-CVE-2009-3696-3697.dpatch: filter and
      escape special characters in pdf_pages.php and pmd_pdf.php.
    - CVE-2009-3697
  * SECURITY UPDATE: code injection via configuration files (LP: #392324)
    - Previous patch for CVE-2009-1285 was incomplete
    - debian/patches/045-security-CVE-2009-1285-2.dpatch: do not allow user
      to modify php code before saving in setup/frames/config.inc.php and
      setup/config.php.
    - CVE-2009-1285

 -- Marc Deslauriers <email address hidden> Mon, 26 Oct 2009 08:55:07 -0400

Changed in phpmyadmin (Ubuntu Jaunty):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.