phpmyadmin / PMASA-2016-60

To: debian-lts@lists.debian.org
Subject: phpmyadmin / PMASA-2016-60
From: Brian May <bam@debian.org>
Date: Fri, 09 Dec 2016 08:55:45 +1100
Message-id: <[🔎] 877f7a3x26.fsf@prune.linuxpenguins.xyz>

Hello,

I have been looking into PMASA-2016-60 for phpmyadmin, and nothing seems
to be certain.

* There does appear to be security issues with old versions of PHP with
  certain functions when passing strings with embedded
  nulls. http://www.madirish.net/401

* However as far as I can tell, php in wheezy is not vulnerable.

* Furthermore, these vulnerabilities are suppose to apply when
  processing the username. I am having trouble trying to visualize how
  an embedded null in the username could result in bypassing access
  control lists. Or how a username with an embedded null could get
  authenticated even.

* Looking at the code I don't see any of the vulnerable functions
  touching username.

* The fix looks easy; however don't like to apply the fix unless I can
  say for certain that it does something useful. Which means I need an
  exploit. I can't find enough details for this.

Any ideas?

Ok, so I have had one more idea since typing this out. Possibly the
problem is that the user is connecting as something like
"root\0fudge". This results in the user connecting to mysql as "root" -
assuming the mysql functions have this vulnerability" but we think the
user is connecting as "root\0fudge" so the don't apply the rules for
"root".

Out of time now, will need to consider this more.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: phpmyadmin / PMASA-2016-60
  - From: Brian May <bam@debian.org>

Prev by Date: Wheezy update of zlib?
Next by Date: Re: phpmyadmin / PMASA-2016-60
Previous by thread: Wheezy update of zlib?
Next by thread: Re: phpmyadmin / PMASA-2016-60
Index(es):
- Date
- Thread