The patch for sarge, also fixes CVE-2005-3301 and CAN-2005-2869. -- .''`. Piotr Roszatycki, Netia SA : :' : mailto:[EMAIL PROTECTED] `. `' mailto:[EMAIL PROTECTED] `-
=== debian/changelog ================================================================== --- debian/changelog (revision 251) +++ debian/changelog (local) @@ -1,3 +1,43 @@ +phpmyadmin (4:2.6.2-3sarge1) stable-security; urgency=high + + * Security fix: Several Cross-Site Scripting vulnerabilities. + See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2869 + Closes: #328501. + * Security fix: (1) Local file inclusion vulnerability and (2) Cross-Site + Scripting vulnerability. + See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3300 + See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3301 + Closes: #335306, #335513. + + * Modified 001-config.patch: + - Append the Debian package revision to the upstream version. Marks that + this phpMyAdmin package has additional Debian modifications so the + bugreports won't confuse phpMyAdmin's coders. + * New 100-bug1223319.patch: + - Use eval for config file including to catch parse errors. The patch is + required by further patch which fixes XSS. + * New 101-patch1258978.patch: + - Move common code for error pages out of common.lib.php. The patch is + required by further patch which fixes XSS. + * New 102-bug1240880.patch: + - XSS on the cookie-based login panel. + * New 102-bug1249239.patch: + - XSS vulnerability on Create page. + * New 102-bug1252124.patch: + - XSS on table creation page. + * New 102-bug1265740.patch: + - Protect against possible XSS, move input sanitizing to special file. + * New 102-bug1283552.patch: + - XSS on username. + * New 102-bug_XSS_on_header.inc.php.patch: + - XSS on header.inc.php. + * New 103-bug_CVE-2005-3300.patch: + - Cross-Site Scripting vulnerability. + * New 103-bug_CVE-2005-3301.patch: + - Local file inclusion vulnerability. + + -- Piotr Roszatycki <[EMAIL PROTECTED]> Mon, 24 Oct 2005 21:02:38 +0200 + phpmyadmin (4:2.6.2-3) unstable; urgency=high * Fix apache2.conf only for 4:2.6.2-1 release. Closes: #307901 (critical), === debian/packages ================================================================== --- debian/packages (revision 251) +++ debian/packages (local) @@ -68,6 +68,12 @@ for webserver in apache apache-perl apache-ssl apache2; do yada install -conf -ucf -into /etc/$webserver/conf.d -as phpmyadmin.conf debian/conf/apache.conf done + . + version=$(grep "define.'PMA_VERSION" libraries/defines.lib.php | sed "s/.*, '//; s/'.*//")-Debian-${VERSION##*-} + sed -e 's/@VERSION@/'"$version"'/' \ + $ROOT/usr/share/phpmyadmin/config.inc.php > $ROOT/usr/share/phpmyadmin/config.inc.php.tmp + mv -f $ROOT/usr/share/phpmyadmin/config.inc.php.tmp $ROOT/usr/share/phpmyadmin/config.inc.php + . yada symlink -into /usr/share/phpmyadmin -as .htaccess /etc/phpmyadmin/htaccess yada symlink -into /var/www /usr/share/phpmyadmin yada symlink -into /usr/share/phpmyadmin /etc/phpmyadmin/config.header.inc.php === debian/patches/001-config.patch ================================================================== --- debian/patches/001-config.patch (revision 251) +++ debian/patches/001-config.patch (local) @@ -43,7 +43,7 @@ $cfg['Servers'][$i]['user'] = 'root'; // MySQL user $cfg['Servers'][$i]['password'] = ''; // MySQL password (only needed // with 'config' auth_type) -@@ -838,6 +839,13 @@ +@@ -838,6 +839,17 @@ */ set_magic_quotes_runtime(0); @@ -53,7 +53,11 @@ + */ +include('/etc/phpmyadmin/config.inc.php'); + ++if (!defined('PMA_VERSION')) { ++ define('PMA_VERSION', '@VERSION@'); ++} + ++ /** * File Revision - do not change either! */ === debian/patches/100-bug1223319.patch ================================================================== --- debian/patches/100-bug1223319.patch (revision 251) +++ debian/patches/100-bug1223319.patch (local) @@ -0,0 +1,31 @@ +Use eval for config file including to catch parse errors (bug #1223319), +on error page display config file that actually failed. + +diff -u -r2.138 -r2.139 +--- phpMyAdmin/libraries/common.lib.php 2005/07/11 05:51:13 2.138 ++++ phpMyAdmin/libraries/common.lib.php 2005/07/13 11:16:51 2.139 +@@ -85,9 +85,12 @@ + * versions of phpMyAdmin/php/mysql... + */ + $old_error_reporting = error_reporting(0); +-include_once($cfgfile_to_load); +-// Include failed +-if (!isset($cfgServers) && !isset($cfg['Servers'])) { ++// We can not use include as it fails on parse error ++$config_fd = fopen($cfgfile_to_load, 'r'); ++$result = eval('?>' . fread($config_fd, filesize($cfgfile_to_load))); ++fclose($config_fd); ++// Eval failed ++if ($result === FALSE || (!isset($cfgServers) && !isset($cfg['Servers']))) { + // Creates fake settings + $cfg = array('DefaultLang' => 'en-iso-8859-1', + 'AllowAnywhereRecoding' => FALSE); +@@ -118,7 +121,7 @@ + <h1>phpMyAdmin - <?php echo $strError; ?></h1> + <p> + <?php echo $strConfigFileError; ?><br /><br /> +-<a href="config.inc.php" target="_blank">config.inc.php</a> ++<a href="<?php echo $cfgfile_to_load; ?>" target="_blank"><?php echo $cfgfile_to_load; ?></a> + </p> + </body> + === debian/patches/101-patch1258978.patch ================================================================== --- debian/patches/101-patch1258978.patch (revision 251) +++ debian/patches/101-patch1258978.patch (local) @@ -0,0 +1,162 @@ +patch #1258978, move common +code for error pages out of common.lib.php, thanks to Sebastian Mendel + +diff -u -r2.147 -r2.148 +--- phpMyAdmin/libraries/common.lib.php 2005/08/16 17:49:57 2.147 ++++ phpMyAdmin/libraries/common.lib.php 2005/08/20 13:23:35 2.148 +@@ -96,37 +96,17 @@ + 'AllowAnywhereRecoding' => FALSE); + // Loads the language file + require_once('./libraries/select_lang.lib.php'); +- // Sends the Content-Type header +- header('Content-Type: text/html; charset=' . $charset); + // Displays the error message +- ?> +-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" +-"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> +-<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $available_languages[$lang][2]; ?>" lang="<?php echo $available_languages[$lang][2]; ?>" dir="<?php echo $text_dir; ?>"> +- +-<head> +-<title>phpMyAdmin</title> +-<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" /> +- +-<style type="text/css"> +-<!-- +-body {font-family: sans-serif; font-size: small; color: #000000; background-color: #F5F5F5} +-h1 {font-family: sans-serif; font-size: large; font-weight: bold} +-//--> +-</style> +-</head> +- +- +-<body bgcolor="#ffffff"> +-<h1>phpMyAdmin - <?php echo $strError; ?></h1> +-<p> +-<?php echo $strConfigFileError; ?><br /><br /> +-<a href="<?php echo $cfgfile_to_load; ?>" target="_blank"><?php echo $cfgfile_to_load; ?></a> +-</p> +-</body> +- +-</html> +- <?php ++ // (do not use & for parameters sent by header) ++ header( 'Location: error.php' ++ . '?lang=' . urlencode( $available_languages[$lang][2] ) ++ . '&char=' . urlencode( $charset ) ++ . '&dir=' . urlencode( $text_dir ) ++ . '&type=' . urlencode( $strError ) ++ . '&error=' . urlencode( $strConfigFileError . '<br /><br />' ++ . '<a href="' . $cfgfile_to_load . '" ' ++ . 'target="_blank">' . $cfgfile_to_load . '</a>' ) ++ ); + exit(); + } + error_reporting($old_error_reporting); +@@ -1074,35 +1054,14 @@ + } else if (!empty($_SERVER['SERVER_NAME'])) { + $url['host'] = $_SERVER['SERVER_NAME']; + } else { +- header('Content-Type: text/html; charset=' . $charset); + // Displays the error message +- ?> +-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" +-"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";> +-<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $available_languages[$lang][2]; ?>" lang="<?php echo $available_languages[$lang][2]; ?>" dir="<?php echo $text_dir; ?>"> +- +-<head> +-<title>phpMyAdmin</title> +-<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" /> +- +-<style type="text/css"> +-<!-- +-body {font-family: sans-serif; font-size: small; color: #000000; background-color: #F5F5F5} +-h1 {font-family: sans-serif; font-size: large; font-weight: bold} +-//--> +-</style> +-</head> +- +- +-<body bgcolor="#ffffff"> +-<h1>phpMyAdmin - <?php echo $strError; ?></h1> +-<p> +-<?php echo $strPmaUriError; ?><br /><br /> +-</p> +-</body> +- +-</html> +- <?php ++ header( 'Location: error.php' ++ . '?lang=' . urlencode( $available_languages[$lang][2] ) ++ . '&char=' . urlencode( $charset ) ++ . '&dir=' . urlencode( $text_dir ) ++ . '&type=' . urlencode( $strError ) ++ . '&error=' . urlencode( $strPmaUriError ) ++ ); + exit(); + } + +diff -u -r1.1 -r2.1 +--- phpMyAdmin/error.php 2005-09-07 11:54:25 +0200 1.1 ++++ phpMyAdmin/error.php 2005-09-15 20:35:48 +0200 2.1 +@@ -0,0 +1,61 @@ ++<?php ++/* $Id: error.php,v 2.1 2005/08/20 13:23:34 lem9 Exp $ */ ++// vim: expandtab sw=4 ts=4 sts=4: ++ ++/** ++ * ++ * phpMyAdmin fatal error display page ++ * ++ */ ++$lang = isset( $_REQUEST['lang'] ) ? $_REQUEST['lang'] : 'en'; ++$dir = isset( $_REQUEST['dir'] ) ? $_REQUEST['dir'] : 'ltr'; ++$char = isset( $_REQUEST['char'] ) ? $_REQUEST['char'] : 'utf-8'; ++$type = isset( $_REQUEST['type'] ) ? $_REQUEST['type'] : 'error'; ++ ++header('Content-Type: text/html; charset=' . $char); ++?> ++<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> ++<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> ++<head> ++ <title>phpMyAdmin</title> ++ <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $char; ?>" /> ++ <style type="text/css"> ++ <!-- ++ html { ++ padding: 0; ++ margin: 0; ++ } ++ body { ++ font-family: sans-serif; ++ font-size: small; ++ color: #000000; ++ background-color: #F5F5F5; ++ margin: 1em; ++ } ++ h1 { ++ margin: 0; ++ padding: 0.3em; ++ font-size: 1.4em; ++ font-weight: bold; ++ color: #ffffff; ++ background-color: #ff0000; ++ } ++ p { ++ margin: 0; ++ padding: 0.5em; ++ border: 0.1em solid red; ++ background-color: #ffeeee; ++ } ++ //--> ++ </style> ++</head> ++<body> ++<h1>phpMyAdmin - <?php echo $type; ?></h1> ++<p><?php ++if (get_magic_quotes_gpc()) { ++ echo stripslashes($_REQUEST['error']); } ++else { ++ echo $_REQUEST['error']; ++}?></p> ++</body> ++</html> === debian/patches/102-bug1240880.patch ================================================================== --- debian/patches/102-bug1240880.patch (revision 251) +++ debian/patches/102-bug1240880.patch (local) @@ -0,0 +1,14 @@ +bug #1240880, XSS on the cookie-based login panel + +diff -u -r2.25 -r2.26 +--- phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/03/06 21:10:53 2.25 ++++ phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/07/21 11:53:33 2.26 +@@ -618,7 +618,7 @@ + } else if (isset($GLOBALS['no_activity']) && $GLOBALS['no_activity']) { + $conn_error = sprintf($GLOBALS['strNoActivity'],$GLOBALS['cfg']['LoginCookieValidity']); + } else if (PMA_DBI_getError()) { +- $conn_error = PMA_DBI_getError(); ++ $conn_error = PMA_sanitize(PMA_DBI_getError()); + } else if (isset($php_errormsg)) { + $conn_error = $php_errormsg; + } else { === debian/patches/102-bug1249239.patch ================================================================== --- debian/patches/102-bug1249239.patch (revision 251) +++ debian/patches/102-bug1249239.patch (local) @@ -0,0 +1,19 @@ +bug #1249239, XSS vulnerability on Create page + +diff -u -r2.140 -r2.141 +--- phpMyAdmin/libraries/common.lib.php 2005/07/27 00:26:52 2.140 ++++ phpMyAdmin/libraries/common.lib.php 2005/08/01 12:38:55 2.141 +@@ -635,11 +635,11 @@ + + // --- Added to solve bug #641765 + // Robbat2 - 12 January 2003, 9:46PM +- // Revised, Robbat2 - 13 Janurary 2003, 2:59PM ++ // Revised, Robbat2 - 13 January 2003, 2:59PM + if (!function_exists('PMA_SQP_isError') || PMA_SQP_isError()) { + $formatted_sql = htmlspecialchars($the_query); + } else { +- $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query); ++ $formatted_sql = PMA_formatSql(PMA_SQP_parse(PMA_sanitize($the_query)), $the_query); + } + // --- + echo "\n" . '<!-- PMA-SQL-ERROR -->' . "\n"; === debian/patches/102-bug1252124.patch ================================================================== --- debian/patches/102-bug1252124.patch (revision 251) +++ debian/patches/102-bug1252124.patch (local) @@ -0,0 +1,25 @@ +bug #1252124, XSS on table creation page + +diff -u -r2.15 -r2.16 +--- phpMyAdmin/tbl_create.php 2005/05/26 16:55:15 2.15 ++++ phpMyAdmin/tbl_create.php 2005/08/04 19:24:16 2.16 +@@ -7,12 +7,16 @@ + */ + require_once('./libraries/grab_globals.lib.php'); + $js_to_run = 'functions.js'; +-require_once('./header.inc.php'); +- +-// Check parameters + + require_once('./libraries/common.lib.php'); + ++if (isset($table)) { ++ $table = PMA_sanitize($table); ++} ++ ++require_once('./header.inc.php'); ++ ++// Check parameters + PMA_checkParameters(array('db', 'table')); + + /** === debian/patches/102-bug1265740.patch ================================================================== --- debian/patches/102-bug1265740.patch (revision 251) +++ debian/patches/102-bug1265740.patch (local) @@ -0,0 +1,144 @@ +Protect against possible XSS (bug #1265740), move input sanitizing to +special file. + +diff -u -r2.148 -r2.149 +--- phpMyAdmin/libraries/common.lib.php 2005/08/20 13:23:35 2.148 ++++ phpMyAdmin/libraries/common.lib.php 2005/08/22 21:00:52 2.149 +@@ -103,9 +103,7 @@ + . '&char=' . urlencode( $charset ) + . '&dir=' . urlencode( $text_dir ) + . '&type=' . urlencode( $strError ) +- . '&error=' . urlencode( $strConfigFileError . '<br /><br />' +- . '<a href="' . $cfgfile_to_load . '" ' +- . 'target="_blank">' . $cfgfile_to_load . '</a>' ) ++ . '&error=' . urlencode( strtr($strConfigFileError, array('<br />' => '[br]')) . '[br][br]' . '[a@' . $cfgfile_to_load . '@_blank]' . $cfgfile_to_load . '[/a]' ) + ); + exit(); + } +@@ -140,30 +138,8 @@ + */ + require_once('./libraries/defines.lib.php'); + +- +-/** +- * Sanitizes $message, taking into account our special codes +- * for formatting +- * +- * @param string the message +- * +- * @return string the sanitized message +- * +- * @access public +- */ +-function PMA_sanitize($message) +-{ +- $replace_pairs = array( +- '<' => '<', +- '>' => '>', +- '[i]' => '<i>', +- '[/i]' => '</i>', +- '[b]' => '<b>', +- '[br]' => '<br />', +- '[/b]' => '</b>', +- ); +- return strtr($message, $replace_pairs); +-} ++/* Input sanitizing */ ++require_once('./libraries/sanitizing.lib.php'); + + // XSS + if (isset($convcharset)) { +@@ -1060,7 +1036,7 @@ + . '&char=' . urlencode( $charset ) + . '&dir=' . urlencode( $text_dir ) + . '&type=' . urlencode( $strError ) +- . '&error=' . urlencode( $strPmaUriError ) ++ . '&error=' . urlencode( strtr($strPmaUriError, array('<tt>' => '[tt]', '</tt>' => '[/tt]'))) + ); + exit(); + } +diff -u -r2.1 -r2.2 +--- phpMyAdmin/error.php 2005/08/20 13:23:34 2.1 ++++ phpMyAdmin/error.php 2005/08/22 21:00:52 2.2 +@@ -7,18 +7,23 @@ + * phpMyAdmin fatal error display page + * + */ +-$lang = isset( $_REQUEST['lang'] ) ? $_REQUEST['lang'] : 'en'; +-$dir = isset( $_REQUEST['dir'] ) ? $_REQUEST['dir'] : 'ltr'; +-$char = isset( $_REQUEST['char'] ) ? $_REQUEST['char'] : 'utf-8'; +-$type = isset( $_REQUEST['type'] ) ? $_REQUEST['type'] : 'error'; + +-header('Content-Type: text/html; charset=' . $char); ++/* Input sanitizing */ ++require_once('./libraries/sanitizing.lib.php'); ++ ++/* Get variables */ ++$lang = isset( $_REQUEST['lang'] ) ? htmlspecialchars($_REQUEST['lang']) : 'en'; ++$dir = isset( $_REQUEST['dir'] ) ? htmlspecialchars($_REQUEST['dir']) : 'ltr'; ++$charset = isset( $_REQUEST['charset'] ) ? htmlspecialchars($_REQUEST['charset']) : 'utf-8'; ++$type = isset( $_REQUEST['type'] ) ? htmlspecialchars($_REQUEST['type']) : 'error'; ++ ++header('Content-Type: text/html; charset=' . $charset); + ?> + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> + <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>"> + <head> + <title>phpMyAdmin</title> +- <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $char; ?>" /> ++ <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" /> + <style type="text/css"> + <!-- + html { +@@ -52,10 +57,10 @@ + <body> + <h1>phpMyAdmin - <?php echo $type; ?></h1> + <p><?php +-if (get_magic_quotes_gpc()) { +- echo stripslashes($_REQUEST['error']); } +-else { +- echo $_REQUEST['error']; +-}?></p> ++if (get_magic_quotes_gpc()) ++ echo PMA_sanitize(stripslashes($_REQUEST['error'])); ++else ++ echo PMA_sanitize($_REQUEST['error']); ++?></p> + </body> + </html> +diff -u -r1.1 -r2.1 +--- phpMyAdmin/libraries/sanitizing.lib.php 2005-09-07 11:54:25 +0200 1.1 ++++ phpMyAdmin/libraries/sanitizing.lib.php 2005-09-15 20:00:35 +0200 2.1 +@@ -0,0 +1,32 @@ ++<?php ++/* $Id: sanitizing.lib.php,v 2.1 2005/08/22 21:00:52 nijel Exp $ */ ++// vim: expandtab sw=4 ts=4 sts=4: ++ ++/** ++ * Sanitizes $message, taking into account our special codes ++ * for formatting ++ * ++ * @param string the message ++ * ++ * @return string the sanitized message ++ * ++ * @access public ++ */ ++function PMA_sanitize($message) ++{ ++ $replace_pairs = array( ++ '<' => '<', ++ '>' => '>', ++ '[i]' => '<i>', ++ '[/i]' => '</i>', ++ '[b]' => '<b>', ++ '[/b]' => '</b>', ++ '[tt]' => '<tt>', ++ '[/tt]' => '</tt>', ++ '[br]' => '<br />', ++ '[/a]' => '</a>', ++ ); ++ return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs)); ++} ++ ++?> === debian/patches/102-bug1283552.patch ================================================================== --- debian/patches/102-bug1283552.patch (revision 251) +++ debian/patches/102-bug1283552.patch (local) @@ -0,0 +1,34 @@ +XSS on username (bug #1283552) + +diff -u -r2.26 -r2.27 +--- phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/07/21 11:53:33 2.26 ++++ phpMyAdmin/libraries/auth/cookie.auth.lib.php 2005/09/07 07:20:15 2.27 +@@ -255,14 +255,14 @@ + <tr> + <td align="right" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"><b><?php echo $GLOBALS['strLogServer']; ?>: </b></td> + <td align="<?php echo $cell_align; ?>" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"> +- <input type="text" name="pma_servername" value="<?php echo (isset($default_server) ? $default_server : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> ++ <input type="text" name="pma_servername" value="<?php echo (isset($default_server) ? htmlspecialchars($default_server) : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> + </td> + </tr> + <?php } ?> + <tr> + <td align="right" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"><b><?php echo $GLOBALS['strLogUsername']; ?> </b></td> + <td align="<?php echo $cell_align; ?>" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"> +- <input type="text" name="pma_username" value="<?php echo (isset($default_user) ? $default_user : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> ++ <input type="text" name="pma_username" value="<?php echo (isset($default_user) ? htmlspecialchars($default_user) : ''); ?>" size="24" class="textfield" onfocus="this.select()" /> + </td> + </tr> + <tr> +diff -u -r2.73 -r2.73.2.1 +--- phpMyAdmin/main.php 2005/08/23 23:08:21 2.73 ++++ phpMyAdmin/main.php 2005/09/07 07:20:00 2.73.2.1 +@@ -92,7 +92,7 @@ + + $full_string = str_replace('%pma_s1%', PMA_MYSQL_STR_VERSION, $strMySQLServerProcess); + $full_string = str_replace('%pma_s2%', $server_info, $full_string); +- $full_string = str_replace('%pma_s3%', $mysql_cur_user_and_host, $full_string); ++ $full_string = str_replace('%pma_s3%', htmlspecialchars($mysql_cur_user_and_host), $full_string); + + echo '<p><b>' . $full_string . '</b></p>' . "\n"; + } // end if === debian/patches/102-bug_XSS_on_header.inc.php.patch ================================================================== --- debian/patches/102-bug_XSS_on_header.inc.php.patch (revision 251) +++ debian/patches/102-bug_XSS_on_header.inc.php.patch (local) @@ -0,0 +1,34 @@ +XSS on header.inc.php + +diff -u -r2.31 -r2.31.2.1 +--- phpMyAdmin/header.inc.php 2005/08/12 11:07:41 2.31 ++++ phpMyAdmin/header.inc.php 2005/09/05 22:09:08 2.31.2.1 +@@ -41,16 +41,16 @@ + */ + $title = ''; + if ($cfg['ShowHttpHostTitle']) { +- $title .= (empty($GLOBALS['cfg']['SetHttpHostTitle']) && isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $GLOBALS['cfg']['SetHttpHostTitle']) . ' >> '; ++ $title .= (empty($GLOBALS['cfg']['SetHttpHostTitle']) && isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $GLOBALS['cfg']['SetHttpHostTitle']) . ' / '; + } + if (!empty($GLOBALS['cfg']['Server']) && isset($GLOBALS['cfg']['Server']['host'])) { + $title.=str_replace('\'', '\\\'', $GLOBALS['cfg']['Server']['host']); + } + if (isset($GLOBALS['db'])) { +- $title .= ' >> ' . str_replace('\'', '\\\'', $GLOBALS['db']); ++ $title .= ' / ' . str_replace('\'', '\\\'', $GLOBALS['db']); + } + if (isset($GLOBALS['table'])) { +- $title .= (empty($title) ? '' : ' ') . ' >> ' . str_replace('\'', '\\\'', $GLOBALS['table']); ++ $title .= (empty($title) ? '' : ' ') . ' / ' . str_replace('\'', '\\\'', $GLOBALS['table']); + } + $title .= ' | phpMyAdmin ' . PMA_VERSION; + ?> +@@ -59,7 +59,7 @@ + // Updates the title of the frameset if possible (ns4 does not allow this) + if (typeof(parent.document) != 'undefined' && typeof(parent.document) != 'unknown' + && typeof(parent.document.title) == 'string') { +- parent.document.title = '<?php echo $title; ?>'; ++ parent.document.title = '<?php echo PMA_sanitize($title); ?>'; + } + + document.write('<style type="text/css">'); === debian/patches/103-bug_CVE-2005-3300.patch ================================================================== --- debian/patches/103-bug_CVE-2005-3300.patch (revision 251) +++ debian/patches/103-bug_CVE-2005-3300.patch (local) @@ -0,0 +1,36 @@ +The register_globals emulation layer in grab_globals.php for phpMyAdmin before +2.6.4-pl3 does not perform safety checks on values in the _FILES array for +uploaded files, which allows remote attackers to include arbitrary files by +using direct requests to library scripts that do not use grab_globals.php, +then modifying certain configuration values for the theme. + +diff -u -r2.151 -r2.151.2.1 +--- phpMyAdmin/libraries/common.lib.php 2005/08/23 23:08:21 2.151 ++++ phpMyAdmin/libraries/common.lib.php 2005/10/21 02:40:23 2.151.2.1 +@@ -47,6 +47,10 @@ + * - other functions, respecting dependencies + */ + ++// grab_globals.lib.php should really go before common.lib.php ++// TODO: remove direct calling from elsewhere ++require_once('./libraries/grab_globals.lib.php'); ++ + /** + * Minimum inclusion? (i.e. for the stylesheet builder) + */ +diff -u -r2.12.2.1 -r2.12.2.2 +--- phpMyAdmin/libraries/grab_globals.lib.php 2005/10/11 13:28:43 2.12.2.1 ++++ phpMyAdmin/libraries/grab_globals.lib.php 2005/10/21 02:40:39 2.12.2.2 +@@ -12,6 +11,12 @@ + * loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+ + */ + ++// protect against older PHP versions' bug about GLOBALS overwrite ++// (no need to translate this one :) ) ++if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) { ++ die("GLOBALS overwrite attempt"); ++} ++ + function PMA_gpc_extract($array, &$target, $sanitize = TRUE) { + if (!is_array($array)) { + return FALSE; === debian/patches/103-bug_CVE-2005-3301.patch ================================================================== --- debian/patches/103-bug_CVE-2005-3301.patch (revision 251) +++ debian/patches/103-bug_CVE-2005-3301.patch (local) @@ -0,0 +1,53 @@ +Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before +2.6.4-pl3 allow remote attackers to inject arbitrary web script or HTML via +certain arguments to (1) left.php, (2) queryframe.php, or (3) +server_databases.php. + +diff -u -r2.45 -r2.45.2.1 +--- phpMyAdmin/left.php 2005/07/10 18:42:00 2.45 ++++ phpMyAdmin/left.php 2005/10/21 01:24:00 2.45.2.1 +@@ -39,6 +39,8 @@ + //PMA_checkParameters(array('hash')); + if (!isset($hash)) { + $hash=''; ++} else { ++ $hash = PMA_sanitize($hash); + } + + require_once('./libraries/bookmark.lib.php'); +diff -u -r2.30 -r2.30.2.1 +--- phpMyAdmin/queryframe.php 2005/08/11 15:07:57 2.30 ++++ phpMyAdmin/queryframe.php 2005/10/21 01:27:32 2.30.2.1 +@@ -24,6 +24,10 @@ + PMA_outBufferPre($ob_mode); + } + } ++// security fix: ++if (isset($hash)) { ++ $hash = PMA_sanitize($hash); ++} + + // garvin: For re-usability, moved http-headers + // to a seperate file. It can now be included by header.inc.php, +diff -u -r2.19 -r2.19.2.1 +--- phpMyAdmin/server_databases.php 2005/08/02 13:02:17 2.19 ++++ phpMyAdmin/server_databases.php 2005/10/21 01:33:58 2.19.2.1 +@@ -145,13 +145,18 @@ + // avoids 'undefined index' errors + if (empty($sort_by)) { + $sort_by = 'db_name'; ++} else { ++ $sort_by = PMA_sanitize($sort_by); + } ++ + if (empty($sort_order)) { + if ($sort_by == 'db_name') { + $sort_order = 'asc'; + } else { + $sort_order = 'desc'; + } ++} else { ++ $sort_order = PMA_sanitize($sort_order); + } + + // sorts the array
pgp2U9nTKFhw0.pgp
Description: PGP signature
