[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#328501: phpmyadmin: CAN-2005-2869



I've sent this mail to security@debian.org and team@security.debian.org at 
Monday and still no response...?

Several Cross-Site-Scripting vulnerabilities have been found in phpmyadmin. 
The CAN-2005-2869 advisory reports the two of them. I've found four more 
vulnerabilities reported and fixed directly in phpMyAdmin's CVS.

I've attached the patch for phpmyadmin package from sarge release with 
backported patches. The additional modification is that the Debian package 
release number is included to the upstream version number, so it is clearly 
marked that this is modified source.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-
=== debian/changelog
==================================================================
--- debian/changelog	(revision 251)
+++ debian/changelog	(local)
@@ -1,3 +1,34 @@
+phpmyadmin (4:2.6.2-3sarge1) stable-security; urgency=high
+
+  * Security fix: Several Cross-Site Scripting vulnerabilities.
+    See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2869
+    Closes: #328501.
+
+  * Modified 001-config.patch:
+    - Append the Debian package revision to the upstream version. Marks that
+      this phpMyAdmin package has additional Debian modifications so the
+      bugreports won't confuse phpMyAdmin's coders.
+  * New 100-bug1223319.patch:
+    - Use eval for config file including to catch parse errors. The patch is
+      required by further patch which fixes XSS.
+  * New 101-patch1258978.patch:
+    - Move common code for error pages out of common.lib.php. The patch is
+      required by further patch which fixes XSS.
+  * New 102-bug1240880.patch:
+    - XSS on the cookie-based login panel.
+  * New 102-bug1249239.patch:
+    - XSS vulnerability on Create page.
+  * New 102-bug1252124.patch:
+    - XSS on table creation page.
+  * New 102-bug1265740.patch:
+    - Protect against possible XSS, move input sanitizing to special file.
+  * New 102-bug1283552.patch:
+    - XSS on username.
+  * New 102-bug_XSS_on_header.inc.php.patch:
+    - XSS on header.inc.php.
+
+ -- Piotr Roszatycki <dexter@debian.org>  Fri, 16 Sep 2005 15:32:30 +0200
+
 phpmyadmin (4:2.6.2-3) unstable; urgency=high
 
   * Fix apache2.conf only for 4:2.6.2-1 release. Closes: #307901 (critical),
=== debian/packages
==================================================================
--- debian/packages	(revision 251)
+++ debian/packages	(local)
@@ -68,6 +68,12 @@
  for webserver in apache apache-perl apache-ssl apache2; do
      yada install -conf -ucf -into /etc/$webserver/conf.d -as phpmyadmin.conf debian/conf/apache.conf
  done
+ .
+ version=$(grep "define.'PMA_VERSION" libraries/defines.lib.php | sed "s/.*, '//; s/'.*//")-Debian-${VERSION##*-}
+ sed -e 's/@VERSION@/'"$version"'/' \
+     $ROOT/usr/share/phpmyadmin/config.inc.php > $ROOT/usr/share/phpmyadmin/config.inc.php.tmp
+ mv -f $ROOT/usr/share/phpmyadmin/config.inc.php.tmp $ROOT/usr/share/phpmyadmin/config.inc.php
+ .
  yada symlink -into /usr/share/phpmyadmin -as .htaccess /etc/phpmyadmin/htaccess
  yada symlink -into /var/www /usr/share/phpmyadmin
  yada symlink -into /usr/share/phpmyadmin /etc/phpmyadmin/config.header.inc.php
=== debian/patches/001-config.patch
==================================================================
--- debian/patches/001-config.patch	(revision 251)
+++ debian/patches/001-config.patch	(local)
@@ -43,7 +43,7 @@
  $cfg['Servers'][$i]['user']          = 'root';      // MySQL user
  $cfg['Servers'][$i]['password']      = '';          // MySQL password (only needed
                                                      // with 'config' auth_type)
-@@ -838,6 +839,13 @@
+@@ -838,6 +839,17 @@
   */
  set_magic_quotes_runtime(0);
  
@@ -53,7 +53,11 @@
 + */
 +include('/etc/phpmyadmin/config.inc.php');
 +
++if (!defined('PMA_VERSION')) {
++    define('PMA_VERSION', '@VERSION@');
++}
 +
++
  /**
   * File Revision - do not change either!
   */
=== debian/patches/100-bug1223319.patch
==================================================================
--- debian/patches/100-bug1223319.patch	(revision 251)
+++ debian/patches/100-bug1223319.patch	(local)
@@ -0,0 +1,43 @@
+Use eval for config file including to catch parse errors (bug #1223319),
+on error page display config file that actually failed.
+
+diff -u -r2.138 -r2.139
+--- phpMyAdmin/libraries/common.lib.php	2005/07/11 05:51:13	2.138
++++ phpMyAdmin/libraries/common.lib.php	2005/07/13 11:16:51	2.139
+@@ -75,9 +75,9 @@
+  * Detects the config file we want to load
+  */
+ if (file_exists('./config.inc.developer.php')) {
+-    $cfgfile_to_load = './config.inc.developer.php';
++    $cfgfile_to_load = 'config.inc.developer.php';
+ } else {
+-    $cfgfile_to_load = './config.inc.php';
++    $cfgfile_to_load = 'config.inc.php';
+ }
+ 
+ /**
+@@ -85,9 +85,12 @@
+  * versions of phpMyAdmin/php/mysql...
+  */
+ $old_error_reporting = error_reporting(0);
+-include_once($cfgfile_to_load);
+-// Include failed
+-if (!isset($cfgServers) && !isset($cfg['Servers'])) {
++// We can not use include as it fails on parse error
++$config_fd = fopen($cfgfile_to_load, 'r');
++$result = eval('?>' . fread($config_fd, filesize($cfgfile_to_load)));
++fclose($config_fd);
++// Eval failed
++if ($result === FALSE || (!isset($cfgServers) && !isset($cfg['Servers']))) {
+     // Creates fake settings
+     $cfg = array('DefaultLang'           => 'en-iso-8859-1',
+                     'AllowAnywhereRecoding' => FALSE);
+@@ -118,7 +121,7 @@
+ <h1>phpMyAdmin - <?php echo $strError; ?></h1>
+ <p>
+ <?php echo $strConfigFileError; ?><br /><br />
+-<a href="config.inc.php" target="_blank">config.inc.php</a>
++<a href="<?php echo $cfgfile_to_load; ?>" target="_blank"><?php echo $cfgfile_to_load; ?></a>
+ </p>
+ </body>
+ 
=== debian/patches/101-patch1258978.patch
==================================================================
--- debian/patches/101-patch1258978.patch	(revision 251)
+++ debian/patches/101-patch1258978.patch	(local)
@@ -0,0 +1,162 @@
+patch #1258978, move common
+code for error pages out of common.lib.php, thanks to Sebastian Mendel
+
+diff -u -r2.147 -r2.148
+--- phpMyAdmin/libraries/common.lib.php	2005/08/16 17:49:57	2.147
++++ phpMyAdmin/libraries/common.lib.php	2005/08/20 13:23:35	2.148
+@@ -96,37 +96,17 @@
+                     'AllowAnywhereRecoding' => FALSE);
+     // Loads the language file
+     require_once('./libraries/select_lang.lib.php');
+-    // Sends the Content-Type header
+-    header('Content-Type: text/html; charset=' . $charset);
+     // Displays the error message
+-    ?>
+-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+-"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+-<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $available_languages[$lang][2]; ?>" lang="<?php echo $available_languages[$lang][2]; ?>" dir="<?php echo $text_dir; ?>">
+-
+-<head>
+-<title>phpMyAdmin</title>
+-<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" />
+-
+-<style type="text/css">
+-<!--
+-body  {font-family: sans-serif; font-size: small; color: #000000; background-color: #F5F5F5}
+-h1    {font-family: sans-serif; font-size: large; font-weight: bold}
+-//-->
+-</style>
+-</head>
+-
+-
+-<body bgcolor="#ffffff">
+-<h1>phpMyAdmin - <?php echo $strError; ?></h1>
+-<p>
+-<?php echo $strConfigFileError; ?><br /><br />
+-<a href="<?php echo $cfgfile_to_load; ?>" target="_blank"><?php echo $cfgfile_to_load; ?></a>
+-</p>
+-</body>
+-
+-</html>
+-    <?php
++    // (do not use &amp; for parameters sent by header)
++    header( 'Location: error.php'
++            . '?lang='  . urlencode( $available_languages[$lang][2] )
++            . '&char='  . urlencode( $charset )
++            . '&dir='   . urlencode( $text_dir )
++            . '&type='  . urlencode( $strError )
++            . '&error=' . urlencode( $strConfigFileError . '<br /><br />'
++                                    . '<a href="' . $cfgfile_to_load . '" '
++                                    . 'target="_blank">' . $cfgfile_to_load . '</a>' )
++             );
+     exit();
+ }
+ error_reporting($old_error_reporting);
+@@ -1074,35 +1054,14 @@
+             } else if (!empty($_SERVER['SERVER_NAME'])) {
+                 $url['host'] = $_SERVER['SERVER_NAME'];
+             } else {
+-                header('Content-Type: text/html; charset=' . $charset);
+                 // Displays the error message
+-                ?>
+-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+-"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+-<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $available_languages[$lang][2]; ?>" lang="<?php echo $available_languages[$lang][2]; ?>" dir="<?php echo $text_dir; ?>">
+-
+-<head>
+-<title>phpMyAdmin</title>
+-<meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" />
+-
+-<style type="text/css">
+-<!--
+-body  {font-family: sans-serif; font-size: small; color: #000000; background-color: #F5F5F5}
+-h1    {font-family: sans-serif; font-size: large; font-weight: bold}
+-//-->
+-</style>
+-</head>
+-
+-
+-<body bgcolor="#ffffff">
+-<h1>phpMyAdmin - <?php echo $strError; ?></h1>
+-<p>
+-<?php echo $strPmaUriError; ?><br /><br />
+-</p>
+-</body>
+-
+-</html>
+-                <?php
++                header( 'Location: error.php'
++                        . '?lang='  . urlencode( $available_languages[$lang][2] )
++                        . '&char='  . urlencode( $charset )
++                        . '&dir='   . urlencode( $text_dir )
++                        . '&type='  . urlencode( $strError )
++                        . '&error=' . urlencode( $strPmaUriError )
++                         );
+                 exit();
+             }
+ 
+diff -u -r1.1 -r2.1
+--- phpMyAdmin/error.php	2005-09-07 11:54:25 +0200	1.1
++++ phpMyAdmin/error.php	2005-09-15 20:35:48 +0200	2.1
+@@ -0,0 +1,61 @@
++<?php
++/* $Id: error.php,v 2.1 2005/08/20 13:23:34 lem9 Exp $ */
++// vim: expandtab sw=4 ts=4 sts=4:
++
++/**
++ *
++ * phpMyAdmin fatal error display page
++ * 
++ */
++$lang = isset( $_REQUEST['lang'] ) ? $_REQUEST['lang'] : 'en';
++$dir  = isset( $_REQUEST['dir']  ) ? $_REQUEST['dir']  : 'ltr';
++$char = isset( $_REQUEST['char'] ) ? $_REQUEST['char'] : 'utf-8';
++$type = isset( $_REQUEST['type'] ) ? $_REQUEST['type'] : 'error';
++
++header('Content-Type: text/html; charset=' . $char);
++?>
++<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
++<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>">
++<head>
++    <title>phpMyAdmin</title>
++    <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $char; ?>" />
++    <style type="text/css">
++    <!--
++    html {
++        padding: 0;
++        margin: 0;
++    }
++    body  {
++        font-family: sans-serif;
++        font-size: small;
++        color: #000000;
++        background-color: #F5F5F5;
++        margin: 1em;
++    }
++    h1 {
++        margin: 0;
++        padding: 0.3em;
++        font-size: 1.4em;
++        font-weight: bold;
++        color: #ffffff;
++        background-color: #ff0000;
++    }
++    p {
++        margin: 0;
++        padding: 0.5em;
++        border: 0.1em solid red;
++        background-color: #ffeeee;
++    }
++    //-->
++    </style>
++</head>
++<body>
++<h1>phpMyAdmin - <?php echo $type; ?></h1>
++<p><?php
++if (get_magic_quotes_gpc()) {
++    echo stripslashes($_REQUEST['error']); }
++else {
++    echo $_REQUEST['error'];
++}?></p>
++</body>
++</html>
=== debian/patches/102-bug1240880.patch
==================================================================
--- debian/patches/102-bug1240880.patch	(revision 251)
+++ debian/patches/102-bug1240880.patch	(local)
@@ -0,0 +1,14 @@
+bug #1240880, XSS on the cookie-based login panel
+
+diff -u -r2.25 -r2.26
+--- phpMyAdmin/libraries/auth/cookie.auth.lib.php	2005/03/06 21:10:53	2.25
++++ phpMyAdmin/libraries/auth/cookie.auth.lib.php	2005/07/21 11:53:33	2.26
+@@ -618,7 +618,7 @@
+     } else if (isset($GLOBALS['no_activity']) && $GLOBALS['no_activity']) {
+         $conn_error = sprintf($GLOBALS['strNoActivity'],$GLOBALS['cfg']['LoginCookieValidity']);
+     } else if (PMA_DBI_getError()) {
+-        $conn_error = PMA_DBI_getError();
++        $conn_error = PMA_sanitize(PMA_DBI_getError());
+     } else if (isset($php_errormsg)) {
+         $conn_error = $php_errormsg;
+     } else {
=== debian/patches/102-bug1249239.patch
==================================================================
--- debian/patches/102-bug1249239.patch	(revision 251)
+++ debian/patches/102-bug1249239.patch	(local)
@@ -0,0 +1,28 @@
+bug #1249239, XSS vulnerability on Create page
+
+diff -u -r2.140 -r2.141
+--- phpMyAdmin/libraries/common.lib.php	2005/07/27 00:26:52	2.140
++++ phpMyAdmin/libraries/common.lib.php	2005/08/01 12:38:55	2.141
+@@ -635,11 +635,11 @@
+ 
+         // --- Added to solve bug #641765
+         // Robbat2 - 12 January 2003, 9:46PM
+-        // Revised, Robbat2 - 13 Janurary 2003, 2:59PM
++        // Revised, Robbat2 - 13 January 2003, 2:59PM
+         if (!function_exists('PMA_SQP_isError') || PMA_SQP_isError()) {
+             $formatted_sql = htmlspecialchars($the_query);
+         } else {
+-            $formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query);
++            $formatted_sql = PMA_formatSql(PMA_SQP_parse(PMA_sanitize($the_query)), $the_query);
+         }
+         // ---
+         echo "\n" . '<!-- PMA-SQL-ERROR -->' . "\n";
+@@ -655,7 +655,7 @@
+         if (!empty($the_query) && !strstr($the_query, 'connect')) {
+             // --- Added to solve bug #641765
+             // Robbat2 - 12 January 2003, 9:46PM
+-            // Revised, Robbat2 - 13 Janurary 2003, 2:59PM
++            // Revised, Robbat2 - 13 January 2003, 2:59PM
+             if (function_exists('PMA_SQP_isError') && PMA_SQP_isError()) {
+                 echo PMA_SQP_getErrorString();
+             }
=== debian/patches/102-bug1252124.patch
==================================================================
--- debian/patches/102-bug1252124.patch	(revision 251)
+++ debian/patches/102-bug1252124.patch	(local)
@@ -0,0 +1,25 @@
+bug #1252124, XSS on table creation page
+
+diff -u -r2.15 -r2.16
+--- phpMyAdmin/tbl_create.php	2005/05/26 16:55:15	2.15
++++ phpMyAdmin/tbl_create.php	2005/08/04 19:24:16	2.16
+@@ -7,12 +7,16 @@
+  */
+ require_once('./libraries/grab_globals.lib.php');
+ $js_to_run = 'functions.js';
+-require_once('./header.inc.php');
+-
+-// Check parameters
+ 
+ require_once('./libraries/common.lib.php');
+ 
++if (isset($table)) {
++    $table = PMA_sanitize($table);
++}
++
++require_once('./header.inc.php');
++
++// Check parameters
+ PMA_checkParameters(array('db', 'table'));
+ 
+ /**
=== debian/patches/102-bug1265740.patch
==================================================================
--- debian/patches/102-bug1265740.patch	(revision 251)
+++ debian/patches/102-bug1265740.patch	(local)
@@ -0,0 +1,144 @@
+Protect against possible XSS (bug #1265740), move input sanitizing to
+special file.
+
+diff -u -r2.148 -r2.149
+--- phpMyAdmin/libraries/common.lib.php	2005/08/20 13:23:35	2.148
++++ phpMyAdmin/libraries/common.lib.php	2005/08/22 21:00:52	2.149
+@@ -103,9 +103,7 @@
+             . '&char='  . urlencode( $charset )
+             . '&dir='   . urlencode( $text_dir )
+             . '&type='  . urlencode( $strError )
+-            . '&error=' . urlencode( $strConfigFileError . '<br /><br />'
+-                                    . '<a href="' . $cfgfile_to_load . '" '
+-                                    . 'target="_blank">' . $cfgfile_to_load . '</a>' )
++            . '&error=' . urlencode( strtr($strConfigFileError, array('<br />' => '[br]')) . '[br][br]' . '[a@' . $cfgfile_to_load . '@_blank]' . $cfgfile_to_load . '[/a]' )
+              );
+     exit();
+ }
+@@ -140,30 +138,8 @@
+  */
+ require_once('./libraries/defines.lib.php');
+ 
+-
+-/**
+- * Sanitizes $message, taking into account our special codes
+- * for formatting
+- *
+- * @param   string   the message
+- *
+- * @return  string   the sanitized message
+- *
+- * @access  public
+- */
+-function PMA_sanitize($message)
+-{
+-    $replace_pairs = array(
+-        '<'     => '&lt;',
+-        '>'     => '&gt;',
+-        '[i]'   => '<i>',
+-        '[/i]'  => '</i>',
+-        '[b]'   => '<b>',
+-        '[br]'  => '<br />',
+-        '[/b]'  => '</b>',
+-    );
+-    return strtr($message, $replace_pairs);
+-}
++/* Input sanitizing */
++require_once('./libraries/sanitizing.lib.php');
+ 
+ // XSS
+ if (isset($convcharset)) {
+@@ -1060,7 +1036,7 @@
+                         . '&char='  . urlencode( $charset )
+                         . '&dir='   . urlencode( $text_dir )
+                         . '&type='  . urlencode( $strError )
+-                        . '&error=' . urlencode( $strPmaUriError )
++                        . '&error=' . urlencode( strtr($strPmaUriError, array('<tt>' => '[tt]', '</tt>' => '[/tt]')))
+                          );
+                 exit();
+             }
+diff -u -r2.1 -r2.2
+--- phpMyAdmin/error.php	2005/08/20 13:23:34	2.1
++++ phpMyAdmin/error.php	2005/08/22 21:00:52	2.2
+@@ -7,18 +7,23 @@
+  * phpMyAdmin fatal error display page
+  * 
+  */
+-$lang = isset( $_REQUEST['lang'] ) ? $_REQUEST['lang'] : 'en';
+-$dir  = isset( $_REQUEST['dir']  ) ? $_REQUEST['dir']  : 'ltr';
+-$char = isset( $_REQUEST['char'] ) ? $_REQUEST['char'] : 'utf-8';
+-$type = isset( $_REQUEST['type'] ) ? $_REQUEST['type'] : 'error';
+ 
+-header('Content-Type: text/html; charset=' . $char);
++/* Input sanitizing */
++require_once('./libraries/sanitizing.lib.php');
++
++/* Get variables */
++$lang    = isset( $_REQUEST['lang'] ) ?     htmlspecialchars($_REQUEST['lang'])     : 'en';
++$dir     = isset( $_REQUEST['dir']  ) ?     htmlspecialchars($_REQUEST['dir'])      : 'ltr';
++$charset = isset( $_REQUEST['charset'] ) ?  htmlspecialchars($_REQUEST['charset'])  : 'utf-8';
++$type    = isset( $_REQUEST['type'] ) ?     htmlspecialchars($_REQUEST['type'])     : 'error';
++
++header('Content-Type: text/html; charset=' . $charset);
+ ?>
+ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
+ <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="<?php echo $lang; ?>" dir="<?php echo $dir; ?>">
+ <head>
+     <title>phpMyAdmin</title>
+-    <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $char; ?>" />
++    <meta http-equiv="Content-Type" content="text/html; charset=<?php echo $charset; ?>" />
+     <style type="text/css">
+     <!--
+     html {
+@@ -52,10 +57,10 @@
+ <body>
+ <h1>phpMyAdmin - <?php echo $type; ?></h1>
+ <p><?php
+-if (get_magic_quotes_gpc()) {
+-    echo stripslashes($_REQUEST['error']); }
+-else {
+-    echo $_REQUEST['error'];
+-}?></p>
++if (get_magic_quotes_gpc())
++    echo PMA_sanitize(stripslashes($_REQUEST['error']));
++else 
++    echo PMA_sanitize($_REQUEST['error']);
++?></p>
+ </body>
+ </html>
+diff -u -r1.1 -r2.1
+--- phpMyAdmin/libraries/sanitizing.lib.php	2005-09-07 11:54:25 +0200	1.1
++++ phpMyAdmin/libraries/sanitizing.lib.php	2005-09-15 20:00:35 +0200	2.1
+@@ -0,0 +1,32 @@
++<?php
++/* $Id: sanitizing.lib.php,v 2.1 2005/08/22 21:00:52 nijel Exp $ */
++// vim: expandtab sw=4 ts=4 sts=4:
++
++/**
++ * Sanitizes $message, taking into account our special codes
++ * for formatting
++ *
++ * @param   string   the message
++ *
++ * @return  string   the sanitized message
++ *
++ * @access  public
++ */
++function PMA_sanitize($message)
++{
++    $replace_pairs = array(
++        '<'     => '&lt;',
++        '>'     => '&gt;',
++        '[i]'   => '<i>',
++        '[/i]'  => '</i>',
++        '[b]'   => '<b>',
++        '[/b]'  => '</b>',
++        '[tt]'   => '<tt>',
++        '[/tt]'  => '</tt>',
++        '[br]'  => '<br />',
++        '[/a]'  => '</a>',
++    );
++    return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));
++}
++
++?>
=== debian/patches/102-bug1283552.patch
==================================================================
--- debian/patches/102-bug1283552.patch	(revision 251)
+++ debian/patches/102-bug1283552.patch	(local)
@@ -0,0 +1,34 @@
+XSS on username (bug #1283552)
+
+diff -u -r2.26 -r2.27
+--- phpMyAdmin/libraries/auth/cookie.auth.lib.php	2005/07/21 11:53:33	2.26
++++ phpMyAdmin/libraries/auth/cookie.auth.lib.php	2005/09/07 07:20:15	2.27
+@@ -255,14 +255,14 @@
+     <tr>
+         <td align="right" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"><b><?php echo $GLOBALS['strLogServer']; ?>:&nbsp;</b></td>
+         <td align="<?php echo $cell_align; ?>" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>">
+-            <input type="text" name="pma_servername" value="<?php echo (isset($default_server) ? $default_server : ''); ?>" size="24" class="textfield" onfocus="this.select()" />
++            <input type="text" name="pma_servername" value="<?php echo (isset($default_server) ? htmlspecialchars($default_server) : ''); ?>" size="24" class="textfield" onfocus="this.select()" />
+         </td>
+     </tr>
+ <?php } ?>
+     <tr>
+         <td align="right" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>"><b><?php echo $GLOBALS['strLogUsername']; ?>&nbsp;</b></td>
+         <td align="<?php echo $cell_align; ?>" bgcolor="<?php echo $GLOBALS['cfg']['BgcolorOne']; ?>">
+-            <input type="text" name="pma_username" value="<?php echo (isset($default_user) ? $default_user : ''); ?>" size="24" class="textfield" onfocus="this.select()" />
++            <input type="text" name="pma_username" value="<?php echo (isset($default_user) ? htmlspecialchars($default_user) : ''); ?>" size="24" class="textfield" onfocus="this.select()" />
+         </td>
+     </tr>
+     <tr>
+diff -u -r2.73 -r2.73.2.1
+--- phpMyAdmin/main.php	2005/08/23 23:08:21	2.73
++++ phpMyAdmin/main.php	2005/09/07 07:20:00	2.73.2.1
+@@ -92,7 +92,7 @@
+ 
+     $full_string     = str_replace('%pma_s1%', PMA_MYSQL_STR_VERSION, $strMySQLServerProcess);
+     $full_string     = str_replace('%pma_s2%', $server_info, $full_string);
+-    $full_string     = str_replace('%pma_s3%', $mysql_cur_user_and_host, $full_string);
++    $full_string     = str_replace('%pma_s3%', htmlspecialchars($mysql_cur_user_and_host), $full_string);
+ 
+     echo '<p><b>' . $full_string . '</b></p>' . "\n";
+ } // end if
=== debian/patches/102-bug_XSS_on_header.inc.php.patch
==================================================================
--- debian/patches/102-bug_XSS_on_header.inc.php.patch	(revision 251)
+++ debian/patches/102-bug_XSS_on_header.inc.php.patch	(local)
@@ -0,0 +1,34 @@
+XSS on header.inc.php
+
+diff -u -r2.31 -r2.31.2.1
+--- phpMyAdmin/header.inc.php	2005/08/12 11:07:41	2.31
++++ phpMyAdmin/header.inc.php	2005/09/05 22:09:08	2.31.2.1
+@@ -41,16 +41,16 @@
+      */
+     $title     = '';
+     if ($cfg['ShowHttpHostTitle']) {
+-        $title .= (empty($GLOBALS['cfg']['SetHttpHostTitle']) && isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $GLOBALS['cfg']['SetHttpHostTitle']) . ' >> ';
++        $title .= (empty($GLOBALS['cfg']['SetHttpHostTitle']) && isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $GLOBALS['cfg']['SetHttpHostTitle']) . ' / ';
+     }
+     if (!empty($GLOBALS['cfg']['Server']) && isset($GLOBALS['cfg']['Server']['host'])) {
+         $title.=str_replace('\'', '\\\'', $GLOBALS['cfg']['Server']['host']);
+     }
+     if (isset($GLOBALS['db'])) {
+-        $title .= ' >> ' . str_replace('\'', '\\\'', $GLOBALS['db']);
++        $title .= ' / ' . str_replace('\'', '\\\'', $GLOBALS['db']);
+     }
+     if (isset($GLOBALS['table'])) {
+-        $title .= (empty($title) ? '' : ' ') . ' >> ' . str_replace('\'', '\\\'', $GLOBALS['table']);
++        $title .= (empty($title) ? '' : ' ') . ' / ' . str_replace('\'', '\\\'', $GLOBALS['table']);
+     }
+     $title .= ' | phpMyAdmin ' . PMA_VERSION;
+     ?>
+@@ -59,7 +59,7 @@
+     // Updates the title of the frameset if possible (ns4 does not allow this)
+     if (typeof(parent.document) != 'undefined' && typeof(parent.document) != 'unknown'
+         && typeof(parent.document.title) == 'string') {
+-        parent.document.title = '<?php echo $title; ?>';
++        parent.document.title = '<?php echo PMA_sanitize($title); ?>';
+     }
+ 
+     document.write('<style type="text/css">');

Attachment: pgprEul7IH7ZS.pgp
Description: PGP signature


Reply to: