Several Cross-Site-Scripting vulnerabilities have been found in phpmyadmin. The CAN-2005-2869 advisory reports the two of them. I've found four more vulnerabilities reported and fixed directly in phpMyAdmin's CVS.
I've attached the patch for phpmyadmin package from sarge release with backported patches. The additional modification is that the Debian package release number is included to the upstream version number, so it is clearly marked that this is modified source. -- .''`. Piotr Roszatycki, Netia SA : :' : mailto:[EMAIL PROTECTED] `. `' mailto:[EMAIL PROTECTED] `-
=== debian/changelog ================================================================== --- debian/changelog (revision 251) +++ debian/changelog (local) @@ -1,3 +1,34 @@ +phpmyadmin (4:2.6.2-3sarge1) stable-security; urgency=high + + * Security fix: Several Cross-Site Scripting vulnerabilities. + See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2869 + Closes: #328501. + + * Modified 001-config.patch: + - Append the Debian package revision to the upstream version. Marks that + this phpMyAdmin package has additional Debian modifications so the + bugreports won't confuse phpMyAdmin's coders. + * New 100-bug1223319.patch: + - Use eval for config file including to catch parse errors. The patch is + required by further patch which fixes XSS. + * New 101-patch1258978.patch: + - Move common code for error pages out of common.lib.php. The patch is + required by further patch which fixes XSS. + * New 102-bug1240880.patch: + - XSS on the cookie-based login panel. + * New 102-bug1249239.patch: + - XSS vulnerability on Create page. + * New 102-bug1252124.patch: + - XSS on table creation page. + * New 102-bug1265740.patch: + - Protect against possible XSS, move input sanitizing to special file. + * New 102-bug1283552.patch: + - XSS on username. + * New 102-bug_XSS_on_header.inc.php.patch: + - XSS on header.inc.php. + + -- Piotr Roszatycki <[EMAIL PROTECTED]> Fri, 16 Sep 2005 15:32:30 +0200 + phpmyadmin (4:2.6.2-3) unstable; urgency=high * Fix apache2.conf only for 4:2.6.2-1 release. Closes: #307901 (critical), === debian/packages ================================================================== --- debian/packages (revision 251) +++ debian/packages (local) @@ -68,6 +68,12 @@ for webserver in apache apache-perl apache-ssl apache2; do yada install -conf -ucf -into /etc/$webserver/conf.d -as phpmyadmin.conf debian/conf/apache.conf done + . + version=$(grep "define.'PMA_VERSION" libraries/defines.lib.php | sed "s/.*, '//; s/'.*//")-Debian-${VERSION##*-} + sed -e 's/@VERSION@/'"$version"'/' \ + $ROOT/usr/share/phpmyadmin/config.inc.php > $ROOT/usr/share/phpmyadmin/config.inc.php.tmp + mv -f $ROOT/usr/share/phpmyadmin/config.inc.php.tmp $ROOT/usr/share/phpmyadmin/config.inc.php + . yada symlink -into /usr/share/phpmyadmin -as .htaccess /etc/phpmyadmin/htaccess yada symlink -into /var/www /usr/share/phpmyadmin yada symlink -into /usr/share/phpmyadmin /etc/phpmyadmin/config.header.inc.php === debian/patches/001-config.patch ================================================================== --- debian/patches/001-config.patch (revision 251) +++ debian/patches/001-config.patch (local) @@ -43,7 +43,7 @@ $cfg['Servers'][$i]['user'] = 'root'; // MySQL user $cfg['Servers'][$i]['password'] = ''; // MySQL password (only needed // with 'config' auth_type) -@@ -838,6 +839,13 @@ +@@ -838,6 +839,17 @@ */ set_magic_quotes_runtime(0); @@ -53,7 +53,11 @@ + */ +include('/etc/phpmyadmin/config.inc.php'); + ++if (!defined('PMA_VERSION')) { ++ define('PMA_VERSION', '@VERSION@'); ++} + ++ /** * File Revision - do not change either! */ === debian/patches/100-bug1223319.patch ================================================================== --- debian/patches/100-bug1223319.patch (revision 251) +++ debian/patches/100-bug1223319.patch (local) @@ -0,0 +1,43 @@ +Use eval for config file including to catch parse errors (bug #1223319), +on error page display config file that actually failed. + +diff -u -r2.138 -r2.139 +--- phpMyAdmin/libraries/common.lib.php 2005/07/11 05:51:13 2.138 ++++ phpMyAdmin/libraries/common.lib.php 2005/07/13 11:16:51 2.139 +@@ -75,9 +75,9 @@ + * Detects the config file we want to load + */ + if (file_exists('./config.inc.developer.php')) { +- $cfgfile_to_load = './config.inc.developer.php'; ++ $cfgfile_to_load = 'config.inc.developer.php'; + } else { +- $cfgfile_to_load = './config.inc.php'; ++ $cfgfile_to_load = 'config.inc.php'; + } + + /** +@@ -85,9 +85,12 @@ + * versions of phpMyAdmin/php/mysql... + */ + $old_error_reporting = error_reporting(0); +-include_once($cfgfile_to_load); +-// Include failed +-if (!isset($cfgServers) && !isset($cfg['Servers'])) { ++// We can not use include as it fails on parse error ++$config_fd = fopen($cfgfile_to_load, 'r'); ++$result = eval('?>' . fread($config_fd, filesize($cfgfile_to_load))); ++fclose($config_fd); ++// Eval failed ++if ($result === FALSE || (!isset($cfgServers) && !isset($cfg['Servers']))) { + // Creates fake settings + $cfg = array('DefaultLang' => 'en-iso-8859-1', + 'AllowAnywhereRecoding' => FALSE); +@@ -118,7 +121,7 @@ + <h1>phpMyAdmin - <?php echo $strError; ?></h1> + <p> + <?php echo $strConfigFileError; ?><br /><br /> +-<a href="config.inc.php" target="_blank">config.inc.php</a> ++<a href="<?php echo $cfgfile_to_load; ?>" target="_blank"><?php echo $cfgfile_to_load; ?></a> + </p> + </body> + === debian/patches/101-patch1258978.patch ================================================================== --- debian/patches/101-patch1258978.patch (revision 251) +++ debian/patches/101-patch1258978.patch (local) @@ -0,0 +1,162 @@ +patch #1258978, move common +code for error pages out of common.lib.php, thanks to Sebastian Mendel + +diff -u -r2.147 -r2.148 +--- phpMyAdmin/libraries/common.lib.php 2005/08/16 17:49:57 2.147 ++++ phpMyAdmin/libraries/common.lib.php 2005/08/20 13:23:35 2.148 +@@ -96,37 +96,17 @@ + 'AllowAnywhereRecoding' => FALSE); + // Loads the language file + require_once('./libraries/select_lang.lib.php'); +- // Sends the Content-Type header +- header('Content-Type: text/html; charset=' . $charset); + // Displays the error message +- ?> +-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" +-"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $available_languages[$lang][2]; ?>" lang="<?php echo $available_languages[$lang][2]; ?>" dir="<?php echo $text_dir; ?>"> +- +-<head> +-<title>phpMyAdmin</title> +-<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" /> +- +-<style type="text/css"> +-<!-- +-body {font-family: sans-serif; font-size: small; color: #000000; background-color: #F5F5F5} +-h1 {font-family: sans-serif; font-size: large; font-weight: bold} +-//--> +-</style> +-</head> +- +- +-<body bgcolor="#ffffff"> +-<h1>phpMyAdmin - <?php echo $strError; ?></h1> +-<p> +-<?php echo $strConfigFileError; ?><br /><br /> +-<a href="<?php echo $cfgfile_to_load; ?>" target="_blank"><?php echo $cfgfile_to_load; ?></a> +-</p> +-</body> +- +-</html> +- <?php ++ // (do not use & for parameters sent by header) ++ header( 'Location: error.php' ++ . '?lang=' . urlencode( $available_languages[$lang][2] ) ++ . '&char=' . urlencode( $charset ) ++ . '&dir=' . urlencode( $text_dir ) ++ . '&type=' . urlencode( $strError ) ++ . '&error=' . urlencode( $strConfigFileError . '<br /><br />' ++ . '<a href="' . $cfgfile_to_load . '" ' ++ . 'target="_blank">' . $cfgfile_to_load . '</a>' ) ++ ); + exit(); + } + error_reporting($old_error_reporting); +@@ -1074,35 +1054,14 @@ + } else if (!empty($_SERVER['SERVER_NAME'])) { + $url['host'] = $_SERVER['SERVER_NAME']; + } else { +- header('Content-Type: text/html; charset=' . $charset); + // Displays the error message +- ?> +-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" +-"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $available_languages[$lang][2]; ?>" lang="<?php echo $available_languages[$lang][2]; ?>" dir="<?php echo $text_dir; ?>"> +- +-<head> +-<title>phpMyAdmin</title> +-<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" /> +- +-<style type="text/css"> +-<!-- +-body {font-family: sans-serif; font-size: small; color: #000000; background-color: #F5F5F5} +-h1 {font-family: sans-serif; font-size: large; font-weight: bold} +-//--> +-</style> +-</head> +- +- +-<body bgcolor="#ffffff"> +-<h1>phpMyAdmin - <?php echo $strError; ?></h1> +-<p> +-<?php echo $strPmaUriError; ?><br /><br /> +-</p> +-</body> +- +-</html> +- <?php ++ header( 'Location: error.php' ++ . '?lang=' . urlencode( $available_languages[$lang][2] ) ++ . '&char=' . urlencode( $charset ) ++ . '&dir=' . urlencode( $text_dir ) ++ . '&type=' . urlencode( $strError ) ++ . '&error=' . urlencode( $strPmaUriError ) ++ ); + exit(); + } + +diff -u -r1.1 -r2.1 +--- phpMyAdmin/error.php 2005-09-07 11:54:25 +0200 1.1 ++++ phpMyAdmin/error.php 2005-09-15 20:35:48 +0200 2.1 +@@ -0,0 +1,61 @@ ++<?php ++/* $Id: error.php,v 2.1 2005/08/20 13:23:34 lem9 Exp $ */ ++// vim: expandtab sw=4 ts=4 sts=4: ++ ++/** ++ * ++ * phpMyAdmin fatal error display page ++ * ++ */ ++$lang = isset( $_REQUEST['lang'] ) ? $_REQUEST['lang'] : 'en'; ++$dir = isset( $_REQUEST['dir'] ) ? $_REQUEST['dir'] : 'ltr'; ++$char = isset( $_REQUEST['char'] ) ? $_REQUEST['char'] : 'utf-8'; ++$type = isset( $_REQUEST['type'] ) ? $_REQUEST['type'] : 'error'; ++ ++header('Content-Type: text/html; charset=' . $char); ++?> ++<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> ++<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> ++<head> ++ <title>phpMyAdmin</title> ++ <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $char; ?>" /> ++ <style type="text/css"> ++ <!-- ++ html { ++ padding: 0; ++ margin: 0; ++ } ++ body { ++ font-family: sans-serif; ++ font-size: small; ++ color: #000000; ++ background-color: #F5F5F5; ++ margin: 1em; ++ } ++ h1 { ++ margin: 0; ++ padding: 0.3em; ++ font-size: 1.4em; ++ font-weight: bold; ++ color: #ffffff; ++ background-color: #ff0000; ++ } ++ p { ++ margin: 0; ++ padding: 0.5em; ++ border: 0.1em solid red; ++ background-color: #ffeeee; ++ } ++ //--> ++ </style> ++</head> ++<body> ++<h1>phpMyAdmin - <?php echo $type; ?></h1> ++<p><?php ++if (get_magic_quotes_gpc()) { ++ echo stripslashes($_REQUEST['error']); } ++else { ++ echo $_REQUEST['error']; ++}?></p> ++</body> ++</html> === debian/patches/102-bug1240880.patch ================================================================== --- debian/patches/102-bug1240880.patch (revision 251) +++ debian/patches/102-bug1240880.patch (local) @@ -0,0 +1,14 @@ +bug #1240880, XSS on the cookie-based login panel + +diff -u -r2.25 -r2.26 +--- phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/03/06 21:10:53 2.25 ++++ phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/07/21 11:53:33 2.26 +@@ -618,7 +618,7 @@ + } else if (isset($GLOBALS['no_activity']) && $GLOBALS['no_activity']) { + $conn_error = sprintf($GLOBALS['strNoActivity'],$GLOBALS['cfg']['LoginCookieValidity']); + } else if (PMA_DBI_getError()) { +- $conn_error = PMA_DBI_getError(); ++ $conn_error = PMA_sanitize(PMA_DBI_getError()); + } else if (isset($php_errormsg)) { + $conn_error = $php_errormsg; + } else { === debian/patches/102-bug1249239.patch ================================================================== --- debian/patches/102-bug1249239.patch (revision 251) +++ debian/patches/102-bug1249239.patch (local) @@ -0,0 +1,28 @@ +bug #1249239, XSS vulnerability on Create page + +diff -u -r2.140 -r2.141 +--- phpMyAdmin/libraries/common.lib.php 2005/07/27 00:26:52 2.140 ++++ phpMyAdmin/libraries/common.lib.php 2005/08/01 12:38:55 2.141 +@@ -635,11 +635,11 @@ + + // --- Added to solve bug #641765 + // Robbat2 - 12 January 2003, 9:46PM +- // Revised, Robbat2 - 13 Janurary 2003, 2:59PM ++ // Revised, Robbat2 - 13 January 2003, 2:59PM + if (!function_exists('PMA_SQP_isError') || PMA_SQP_isError()) { + $formatted_sql = htmlspecialchars($the_query); + } else { +- $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); ++ $formatted_sql = PMA_formatSql(PMA_SQP_parse(PMA_sanitize($the_query)), $the_query); + } + // --- + echo "\n" . '<!-- PMA-SQL-ERROR -->' . "\n"; +@@ -655,7 +655,7 @@ + if (!empty($the_query) && !strstr($the_query, 'connect')) { + // --- Added to solve bug #641765 + // Robbat2 - 12 January 2003, 9:46PM +- // Revised, Robbat2 - 13 Janurary 2003, 2:59PM ++ // Revised, Robbat2 - 13 January 2003, 2:59PM + if (function_exists('PMA_SQP_isError') && PMA_SQP_isError()) { + echo PMA_SQP_getErrorString(); + } === debian/patches/102-bug1252124.patch ================================================================== --- debian/patches/102-bug1252124.patch (revision 251) +++ debian/patches/102-bug1252124.patch (local) @@ -0,0 +1,25 @@ +bug #1252124, XSS on table creation page + +diff -u -r2.15 -r2.16 +--- phpMyAdmin/tbl_create.php 2005/05/26 16:55:15 2.15 ++++ phpMyAdmin/tbl_create.php 2005/08/04 19:24:16 2.16 +@@ -7,12 +7,16 @@ + */ + require_once('./libraries/grab_globals.lib.php'); + $js_to_run = 'functions.js'; +-require_once('./header.inc.php'); +- +-// Check parameters + + require_once('./libraries/common.lib.php'); + ++if (isset($table)) { ++ $table = PMA_sanitize($table); ++} ++ ++require_once('./header.inc.php'); ++ ++// Check parameters + PMA_checkParameters(array('db', 'table')); + + /** === debian/patches/102-bug1265740.patch ================================================================== --- debian/patches/102-bug1265740.patch (revision 251) +++ debian/patches/102-bug1265740.patch (local) @@ -0,0 +1,144 @@ +Protect against possible XSS (bug #1265740), move input sanitizing to +special file. + +diff -u -r2.148 -r2.149 +--- phpMyAdmin/libraries/common.lib.php 2005/08/20 13:23:35 2.148 ++++ phpMyAdmin/libraries/common.lib.php 2005/08/22 21:00:52 2.149 +@@ -103,9 +103,7 @@ + . '&char=' . urlencode( $charset ) + . '&dir=' . urlencode( $text_dir ) + . '&type=' . urlencode( $strError ) +- . '&error=' . urlencode( $strConfigFileError . '<br /><br />' +- . '<a href="' . $cfgfile_to_load . '" ' +- . 'target="_blank">' . $cfgfile_to_load . '</a>' ) ++ . '&error=' . urlencode( strtr($strConfigFileError, array('<br />' => '[br]')) . '[br][br]' . '[a@' . $cfgfile_to_load . '@_blank]' . $cfgfile_to_load . '[/a]' ) + ); + exit(); + } +@@ -140,30 +138,8 @@ + */ + require_once('./libraries/defines.lib.php'); + +- +-/** +- * Sanitizes $message, taking into account our special codes +- * for formatting +- * +- * @param string the message +- * +- * @return string the sanitized message +- * +- * @access public +- */ +-function PMA_sanitize($message) +-{ +- $replace_pairs = array( +- '<' => '<', +- '>' => '>', +- '[i]' => '<i>', +- '[/i]' => '</i>', +- '[b]' => '<b>', +- '[br]' => '<br />', +- '[/b]' => '</b>', +- ); +- return strtr($message, $replace_pairs); +-} ++/* Input sanitizing */ ++require_once('./libraries/sanitizing.lib.php'); + + // XSS + if (isset($convcharset)) { +@@ -1060,7 +1036,7 @@ + . '&char=' . urlencode( $charset ) + . '&dir=' . urlencode( $text_dir ) + . '&type=' . urlencode( $strError ) +- . '&error=' . urlencode( $strPmaUriError ) ++ . '&error=' . urlencode( strtr($strPmaUriError, array('<tt>' => '[tt]', '</tt>' => '[/tt]'))) + ); + exit(); + } +diff -u -r2.1 -r2.2 +--- phpMyAdmin/error.php 2005/08/20 13:23:34 2.1 ++++ phpMyAdmin/error.php 2005/08/22 21:00:52 2.2 +@@ -7,18 +7,23 @@ + * phpMyAdmin fatal error display page + * + */ +-$lang = isset( $_REQUEST['lang'] ) ? $_REQUEST['lang'] : 'en'; +-$dir = isset( $_REQUEST['dir'] ) ? $_REQUEST['dir'] : 'ltr'; +-$char = isset( $_REQUEST['char'] ) ? $_REQUEST['char'] : 'utf-8'; +-$type = isset( $_REQUEST['type'] ) ? $_REQUEST['type'] : 'error'; + +-header('Content-Type: text/html; charset=' . $char); ++/* Input sanitizing */ ++require_once('./libraries/sanitizing.lib.php'); ++ ++/* Get variables */ ++$lang = isset( $_REQUEST['lang'] ) ? htmlspecialchars($_REQUEST['lang']) : 'en'; ++$dir = isset( $_REQUEST['dir'] ) ? htmlspecialchars($_REQUEST['dir']) : 'ltr'; ++$charset = isset( $_REQUEST['charset'] ) ? htmlspecialchars($_REQUEST['charset']) : 'utf-8'; ++$type = isset( $_REQUEST['type'] ) ? htmlspecialchars($_REQUEST['type']) : 'error'; ++ ++header('Content-Type: text/html; charset=' . $charset); + ?> + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> + <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> + <head> + <title>phpMyAdmin</title> +- <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $char; ?>" /> ++ <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" /> + <style type="text/css"> + <!-- + html { +@@ -52,10 +57,10 @@ + <body> + <h1>phpMyAdmin - <?php echo $type; ?></h1> + <p><?php +-if (get_magic_quotes_gpc()) { +- echo stripslashes($_REQUEST['error']); } +-else { +- echo $_REQUEST['error']; +-}?></p> ++if (get_magic_quotes_gpc()) ++ echo PMA_sanitize(stripslashes($_REQUEST['error'])); ++else ++ echo PMA_sanitize($_REQUEST['error']); ++?></p> + </body> + </html> +diff -u -r1.1 -r2.1 +--- phpMyAdmin/libraries/sanitizing.lib.php 2005-09-07 11:54:25 +0200 1.1 ++++ phpMyAdmin/libraries/sanitizing.lib.php 2005-09-15 20:00:35 +0200 2.1 +@@ -0,0 +1,32 @@ ++<?php ++/* $Id: sanitizing.lib.php,v 2.1 2005/08/22 21:00:52 nijel Exp $ */ ++// vim: expandtab sw=4 ts=4 sts=4: ++ ++/** ++ * Sanitizes $message, taking into account our special codes ++ * for formatting ++ * ++ * @param string the message ++ * ++ * @return string the sanitized message ++ * ++ * @access public ++ */ ++function PMA_sanitize($message) ++{ ++ $replace_pairs = array( ++ '<' => '<', ++ '>' => '>', ++ '[i]' => '<i>', ++ '[/i]' => '</i>', ++ '[b]' => '<b>', ++ '[/b]' => '</b>', ++ '[tt]' => '<tt>', ++ '[/tt]' => '</tt>', ++ '[br]' => '<br />', ++ '[/a]' => '</a>', ++ ); ++ return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs)); ++} ++ ++?> === debian/patches/102-bug1283552.patch ================================================================== --- debian/patches/102-bug1283552.patch (revision 251) +++ debian/patches/102-bug1283552.patch (local) @@ -0,0 +1,34 @@ +XSS on username (bug #1283552) + +diff -u -r2.26 -r2.27 +--- phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/07/21 11:53:33 2.26 ++++ phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/09/07 07:20:15 2.27 +@@ -255,14 +255,14 @@ + <tr> + <td align="right" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"><b><?php echo $GLOBALS['strLogServer']; ?>: </b></td> + <td align="<?php echo $cell_align; ?>" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"> +- <input type="text" name="pma_servername" value="<?php echo (isset($default_server) ? $default_server : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> ++ <input type="text" name="pma_servername" value="<?php echo (isset($default_server) ? htmlspecialchars($default_server) : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> + </td> + </tr> + <?php } ?> + <tr> + <td align="right" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"><b><?php echo $GLOBALS['strLogUsername']; ?> </b></td> + <td align="<?php echo $cell_align; ?>" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"> +- <input type="text" name="pma_username" value="<?php echo (isset($default_user) ? $default_user : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> ++ <input type="text" name="pma_username" value="<?php echo (isset($default_user) ? htmlspecialchars($default_user) : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> + </td> + </tr> + <tr> +diff -u -r2.73 -r2.73.2.1 +--- phpMyAdmin/main.php 2005/08/23 23:08:21 2.73 ++++ phpMyAdmin/main.php 2005/09/07 07:20:00 2.73.2.1 +@@ -92,7 +92,7 @@ + + $full_string = str_replace('%pma_s1%', PMA_MYSQL_STR_VERSION, $strMySQLServerProcess); + $full_string = str_replace('%pma_s2%', $server_info, $full_string); +- $full_string = str_replace('%pma_s3%', $mysql_cur_user_and_host, $full_string); ++ $full_string = str_replace('%pma_s3%', htmlspecialchars($mysql_cur_user_and_host), $full_string); + + echo '<p><b>' . $full_string . '</b></p>' . "\n"; + } // end if === debian/patches/102-bug_XSS_on_header.inc.php.patch ================================================================== --- debian/patches/102-bug_XSS_on_header.inc.php.patch (revision 251) +++ debian/patches/102-bug_XSS_on_header.inc.php.patch (local) @@ -0,0 +1,34 @@ +XSS on header.inc.php + +diff -u -r2.31 -r2.31.2.1 +--- phpMyAdmin/header.inc.php 2005/08/12 11:07:41 2.31 ++++ phpMyAdmin/header.inc.php 2005/09/05 22:09:08 2.31.2.1 +@@ -41,16 +41,16 @@ + */ + $title = ''; + if ($cfg['ShowHttpHostTitle']) { +- $title .= (empty($GLOBALS['cfg']['SetHttpHostTitle']) && isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $GLOBALS['cfg']['SetHttpHostTitle']) . ' >> '; ++ $title .= (empty($GLOBALS['cfg']['SetHttpHostTitle']) && isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $GLOBALS['cfg']['SetHttpHostTitle']) . ' / '; + } + if (!empty($GLOBALS['cfg']['Server']) && isset($GLOBALS['cfg']['Server']['host'])) { + $title.=str_replace('\'', '\\\'', $GLOBALS['cfg']['Server']['host']); + } + if (isset($GLOBALS['db'])) { +- $title .= ' >> ' . str_replace('\'', '\\\'', $GLOBALS['db']); ++ $title .= ' / ' . str_replace('\'', '\\\'', $GLOBALS['db']); + } + if (isset($GLOBALS['table'])) { +- $title .= (empty($title) ? '' : ' ') . ' >> ' . str_replace('\'', '\\\'', $GLOBALS['table']); ++ $title .= (empty($title) ? '' : ' ') . ' / ' . str_replace('\'', '\\\'', $GLOBALS['table']); + } + $title .= ' | phpMyAdmin ' . PMA_VERSION; + ?> +@@ -59,7 +59,7 @@ + // Updates the title of the frameset if possible (ns4 does not allow this) + if (typeof(parent.document) != 'undefined' && typeof(parent.document) != 'unknown' + && typeof(parent.document.title) == 'string') { +- parent.document.title = '<?php echo $title; ?>'; ++ parent.document.title = '<?php echo PMA_sanitize($title); ?>'; + } + + document.write('<style type="text/css">');