Bug#446862: phpmyadmin: default config allow mysql's root@localhost access from remote host

Anon Sricharoenchai Tue, 16 Oct 2007 01:42:10 -0700

Package: phpmyadmin
Version: 4:2.6.2-3sarge5
Severity: critical
Justification: root security hole
Tags: security patch


Since, phpmyadmin is on apache, and apache can be accessed from remote
host, so remote host can access mysql's [EMAIL PROTECTED] via phpmyadmin.
This will break mysql security policy.

I would like to suggest the patch to set default mysql host, by
determining the network interface to which the client is connecting.

* If connecting by http://localhost/phpmyadmin, the mysql host will be
 'localhost'.
* If connecting by http://hostname.hostdomain/phpmyadmin, the mysql host
  will be 'hostname.hostdomain'.
* If php can't determine client information; for security reason,
  'localhost.localdomain' will be set as mysql host. (By default,
  '[EMAIL PROTECTED]' will get the same privileges as other
  remote root access, '[EMAIL PROTECTED]', in mysql.)

This will make phpmyadmin to be able to serve remote access, while not
breaking security setting in mysql.  One can still leave blank password
in mysql's [EMAIL PROTECTED], by not worrying about it can be remotely
accessed.

The attached file is the patch for version 2.6.2-3sarge5 and 2.9.1.1-4.


-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Kernel: Linux 2.6.10-5-386
Locale: LANG=C, LC_CTYPE=thai

Versions of packages phpmyadmin depends on:
ii  apache [httpd]      1.3.31-6ubuntu0.9    Versatile, high-performance HTTP s
ii  debconf             1.4.29ubuntu4        Debian configuration management sy
ii  php4                4:4.3.8-3ubuntu7.15  A server-side, HTML-embedded scrip
ii  php4-cgi            4:4.3.10-10ubuntu4.8 server-side, HTML-embedded scripti
ii  php4-mysql          4:4.3.8-3ubuntu7.15  MySQL module for php4
ii  ucf                 1.07                 Update Configuration File: preserv

-- debconf information excluded

diff --exclude='.*.swp' -ur phpmyadmin-2.6.2-3sarge5.orig/config.inc.php phpmyadmin-2.6.2-3sarge5/config.inc.php
--- phpmyadmin-2.6.2-3sarge5.orig/config.inc.php	2007-10-16 11:40:28.613403000 +0700
+++ phpmyadmin-2.6.2-3sarge5/config.inc.php	2007-10-16 15:10:53.231170048 +0700
@@ -64,11 +64,32 @@
 /**
  * Server(s) configuration
  */
+function non_fake_server_name($server_name) {
+    if (!isset($_SERVER['SERVER_ADDR'])) return false;
+    // HTTP_HOST can be in the format, "host:port"
+    list($server_name) = explode(':', $server_name);
+    foreach (gethostbynamel($server_name) as $ip) {
+        if ($_SERVER['SERVER_ADDR'] == $ip) return true;
+    } return false;
+}
+// By default, '[EMAIL PROTECTED]' will get the same privileges as
+// other remote root access ('[EMAIL PROTECTED]') in mysql.
+// For security reason, assume remote access using 'localhost.localdomain',
+// when client information is missing.
+if (empty($_SERVER)) $client_dependent_localhost = 'localhost.localdomain';
+// Client may fake "Host:" header.
+elseif (isset($_SERVER['SERVER_NAME']) && non_fake_server_name($_SERVER['SERVER_NAME']))
+    $client_dependent_localhost = $_SERVER['SERVER_NAME'];
+elseif (isset($_SERVER['HTTP_HOST']) && non_fake_server_name($_SERVER['HTTP_HOST']))
+    list($client_dependent_localhost) = explode(':', $_SERVER['HTTP_HOST']);
+elseif (isset($_SERVER['SERVER_ADDR']))
+    $client_dependent_localhost = $_SERVER['SERVER_ADDR'];
+else $client_dependent_localhost = 'localhost.localdomain';
 $i = 0;
 // The $cfg['Servers'] array starts with $cfg['Servers'][1].  Do not use $cfg['Servers'][0].
 // You can disable a server config entry by setting host to ''.
 $i++;
-$cfg['Servers'][$i]['host']          = 'localhost'; // MySQL hostname or IP address
+$cfg['Servers'][$i]['host']          = $client_dependent_localhost; // MySQL hostname or IP address
 $cfg['Servers'][$i]['port']          = '';          // MySQL port - leave blank for default port
 $cfg['Servers'][$i]['socket']        = '';          // Path to the socket - leave blank for default socket
 $cfg['Servers'][$i]['connect_type']  = 'socket';    // How to connect to MySQL server ('tcp' or 'socket')

diff --exclude='.*.swp' -ur phpmyadmin-2.9.1.1-4.orig/debian/src/config.inc.php phpmyadmin-2.9.1.1-4/debian/src/config.inc.php
--- phpmyadmin-2.9.1.1-4.orig/debian/src/config.inc.php	2007-10-16 10:28:42.024104000 +0700
+++ phpmyadmin-2.9.1.1-4/debian/src/config.inc.php	2007-10-16 15:17:54.682099768 +0700
@@ -7,6 +7,28 @@
 // Load secret generated on postinst
 include('/etc/phpmyadmin/blowfish_secret.inc.php');
 
+function non_fake_server_name($server_name) {
+    if (!isset($_SERVER['SERVER_ADDR'])) return false;
+    // HTTP_HOST can be in the format, "host:port"
+    list($server_name) = explode(':', $server_name);
+    foreach (gethostbynamel($server_name) as $ip) {
+        if ($_SERVER['SERVER_ADDR'] == $ip) return true;
+    } return false;
+}
+// By default, '[EMAIL PROTECTED]' will get the same privileges as
+// other remote root access ('[EMAIL PROTECTED]') in mysql.
+// For security reason, assume remote access using 'localhost.localdomain',
+// when client information is missing.
+if (empty($_SERVER)) $client_dependent_localhost = 'localhost.localdomain';
+// Client may fake "Host:" header.
+elseif (isset($_SERVER['SERVER_NAME']) && non_fake_server_name($_SERVER['SERVER_NAME']))
+    $client_dependent_localhost = $_SERVER['SERVER_NAME'];
+elseif (isset($_SERVER['HTTP_HOST']) && non_fake_server_name($_SERVER['HTTP_HOST']))
+    list($client_dependent_localhost) = explode(':', $_SERVER['HTTP_HOST']);
+elseif (isset($_SERVER['SERVER_ADDR']))
+    $client_dependent_localhost = $_SERVER['SERVER_ADDR'];
+else $client_dependent_localhost = 'localhost.localdomain';
+
 // Load autoconf local config
 include('config/config.inc.php');
 
@@ -15,7 +37,7 @@
 
 // Set the default server if there is no defined
 if (!isset($cfg['Servers'])) {
-    $cfg['Servers'][1]['host'] = 'localhost';
+    $cfg['Servers'][1]['host'] = $client_dependent_localhost;
 }
 
 // Set the default values for $cfg['Servers'] entries
diff --exclude='.*.swp' -ur phpmyadmin-2.9.1.1-4.orig/debian/var/config.inc.php phpmyadmin-2.9.1.1-4/debian/var/config.inc.php
--- phpmyadmin-2.9.1.1-4.orig/debian/var/config.inc.php	2007-10-16 10:28:42.015106000 +0700
+++ phpmyadmin-2.9.1.1-4/debian/var/config.inc.php	2007-10-16 12:59:04.928414808 +0700
@@ -11,7 +11,7 @@
 
 /* Server localhost (cookie) [1] */
 $i++;
-$cfg['Servers'][$i]['host'] = 'localhost';
+$cfg['Servers'][$i]['host'] = $client_dependent_localhost;
 $cfg['Servers'][$i]['connect_type'] = 'socket';
 $cfg['Servers'][$i]['compress'] = false;
 $cfg['Servers'][$i]['auth_type'] = 'cookie';

Bug#446862: phpmyadmin: default config allow mysql's root@localhost access from remote host

Reply via email to