[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

phpmyadmin / CVE-2016-5739.patch

Ok, so as far as I can tell, looking at the version in wheezy, the
problem is that we load source files like so (there are two occurances
in the code that I can see, both very similar):

include_once $include_file;

Where include_file comes from:

$file = $mime_map[$meta->name]['transformation'];
$include_file = 'libraries/plugins/transformations/' . $file;

The problem being $mime_map is loaded from the database, and considered
untrusted, I think this is the source here:

PMA_getMIME($this->__get('db'), $this->__get('table'))

I don't fully understand this function yet, but I think it is safe to
say it generates filenames based on untrusted data from the database.

I am not sure what an attacker can do with include_once, but my guess is
that if you try to load a file that doesn't have a "<?php" marker, it
will add the entire contents to the HTML being output to HTTP -
e.g. send it to the attacker.

However an attacker would need to be able to login and have write access
to a database first before carrying out an attack.

The upstream solution seems to be to completely remove the
"include_once" statement and rely on the "autoloader" to load things. As
far as I can tell, this creates a "autoload.php" file at install time
which automatically lists all dependancies to be loaded without relying
on untrusted inputs.

Unfortunately, I don't think the wheezy version of phpmyadmin has this
autoloader support... So if we blindly manually applied the same patch,
I suspect we would end up disabling support transformations.

There is a reference to autoload.php in CVE-2016-2039.patch, but that is
documentation only.

Here is the upstream documentation on transformations:
https://docs.phpmyadmin.net/en/qa_4_2/transformations.html

I am wondering how important it is that we continue to support
transformations? I suspect not many users of phpmyadmin 4.2.12 would
actually use or want them... If so the easiest fix may be to remove
these lines.
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: