On 26.06.2016 23:47, Ola Lundqvist wrote:
> Hi LTS team
Hi!
>
> I have done some analysis of the issues for phpmyadmin.
>
> It would be good to know what your opinion about XSS issues for admin
> software like phpmyadmin is. I do not see how that can be very
> important. I mean you know the URL and do not really use external links
> for accessing it.
> Or do anyone have another opinion?
XSS is not just about getting tricked into clicking the wrong site URL
of the application. XSS is very common for web applications and in case
of webapps like phpmyadmin, where usually multiple users have access to
databases with various permissions, there are often multiple
possibilities to inject _javascript_ or other code into HTML tags,
<script> tags, CSS, etc. and make other users believe that they still
browse their trusted site but in fact they already execute the
attacker's code.
I think there are too many vectors of cross-site-scripting to say this
is always a non-issue. For web applications it is the most common
vulnerability and we should carefully investigate case-by-case how
serious the exploit is.
>
> I'll happily mark them as no DSA instead of backporting the fixes. What
> do you think?
> If I do not hear any objections I'll do so in a few days.
>
> CVE-2016-5701
> The mitigation is to always use https for access. I guess this should be
> the normal case.
> This is a problem only during setup as far as I can tell.
> I do not think we should spend time on this one. I'll mark it as no DSA.
> Objections?
> If anyone objects the backport should be fairly simple.
Is phpmyadmin configured to use https by default in Debian? If not it is
very likely that some systems out there are vulnerable.
> CVE-2016-5702
> A properly configured server which sets PHP_SELF is not affected. Thus
> I'll mark this as no DSA. Objections?
Agreed. By default PHP_SELF should be set.
>
> CVE-2016-5703
> This one looks like a real problem. Will look into backport of that one.
>
> CVE-2016-5704 and CVE-2016-5705
> XSS issue. Backporting looks easy.
>
> CVE-2016-5706
> A potential DOS attach should be fixed. I'll look into backporting this.
>
> CVE-2016-5730
> Non critical. I'll mark as no DSA unless anyone objects.
Agreed.
> CVE-2016-5731, CVE-2016-5732, CVE-2016-5733
> XSS again. Backporting looks rather easy. I do not really see the
> urgency of fixing though.
>
CVE-2016-5731, html_errors=On is the default in Debian -> non-issue
CVE-2016-5732, upstream considers this issue to be severe, I haven't
found more information yet but I suggest to keep the "vulnerable" status.
CVE-2016-5733, upstream considers this to be of "moderate" severity. I
would keep the "vulnerable" status.
> CVE-2016-5734
> Possible real problem. I'll look into backporting this.
>
> CVE-2016-5739
> Possible real problem. Backporting looks easy.
>
In the end the decision is ultimately up to you because you are the one
who is responsible for the update. I wouldn't take XSS CVEs lightly though.
Regards,
Markus