Package: phpmyadmin Severity: important Tags: security, patch Hi
The following two CVEs[0][1] have been assigned to phpmyadmin. CVE-2007-5977: Cross-site scripting (XSS) vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to inject arbitrary web script or HTML via a hex-encoded IMG element in the db parameter in a POST request, a different vulnerability than CVE-2006-6942. CVE-2007-5976: SQL injection vulnerability in db_create.php in phpMyAdmin before 2.11.2.1 allows remote authenticated users with CREATE DATABASE privileges to execute arbitrary SQL commands via the db parameter. Please mention the CVEs in your changelog. You can find the upstream patch below. Cheers Steffen [0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5977 [1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5976 --- phpMyAdmin/libraries/List_Database.class.php (.../RELEASE_2_11_2) (revision 10919) +++ phpmyadmin-2.11.2/libraries/List_Database.class.php (.../RELEASE_2_11_2_1) (revision 10919) @@ -378,10 +378,10 @@ $selected = $this->getDefault(); } - $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n"; + $return = '<ul id="databaseList" xml:lang="en" dir="ltr">' . "\n"; foreach ($this->getGroupedDetails($offset, $count) as $group => $dbs) { if (count($dbs) > 1) { - $return .= '<li>' . $group . '<ul>' . "\n"; + $return .= '<li>' . htmlspecialchars($group) . '<ul>' . "\n"; // wether display db_name cuted by the group part $cut = true; } else { @@ -389,15 +389,24 @@ $cut = false; } foreach ($dbs as $db) { - $return .= '<li'; - if ($db['name'] == $selected) { - $return .= ' class="selected"'; + $return .= '<li'; + if ($db['name'] == $selected) { + $return .= ' class="selected"'; + } + $return .= '><a'; + if (! empty($db['comment'])) { + $return .= ' title="' . htmlspecialchars($db['comment']) . '"'; + } + $return .= ' href="index.php?' . PMA_generate_common_url($db['name']) + . '" target="_parent">'; + if ($cut) { + $return .= htmlspecialchars($db['disp_name_cut']); + } else { + $return .= htmlspecialchars($db['disp_name']); + } + $return .= ' (' . $db['num_tables'] . ')'; + $return .= '</a></li>' . "\n"; } - $return .= '><a' . (! empty($db['comment']) ? ' title="' . $db['comment'] . '"' : '') . ' href="index.php?' . PMA_generate_common_url($db['name']) . '" target="_parent">'; - $return .= ($cut ? $db['disp_name_cut'] : $db['disp_name']) - .' (' . $db['num_tables'] . ')'; - $return .= '</a></li>' . "\n"; - } if (count($dbs) > 1) { $return .= '</ul></li>' . "\n"; } --- ../old/phpmyadmin-2.11.2/server_privileges.php 2007-10-27 13:06:02.000000000 +0000 +++ phpmyadmin-2.11.2/server_privileges.php 2007-11-16 04:12:15.000000000 +0000 @@ -2032,7 +2032,7 @@ . PMA_convert_using('`Db`') . ' AS `Db`, ' . $list_of_privileges .' FROM `mysql`.`db`' - .' WHERE ' . PMA_convert_using($checkprivs, 'quoted') + .' WHERE ' . PMA_convert_using(PMA_sqlAddslashes($checkprivs), 'quoted') .' LIKE ' . PMA_convert_using('`Db`') .' AND NOT (' . $list_of_compared_privileges. ')) ' .'UNION ' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
