Hello community, here is the log from the commit of package phpMyAdmin checked in at Thu Apr 20 18:03:12 CEST 2006. -------- --- phpMyAdmin/phpMyAdmin.changes 2006-04-13 16:05:41.000000000 +0200 +++ NOARCH/phpMyAdmin/phpMyAdmin.changes 2006-04-20 17:33:20.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Apr 20 17:26:44 CEST 2006 - mmarek@suse.cz + +- fixed XSS in sql.php (and other scripts): add a secret token to + each link and form to prevent linking to sql.php from outside + [#165772] (CVE-2006-1804) + +------------------------------------------------------------------- New: ---- phpMyAdmin-2.8.0.3-CVE-2006-1804.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.A20Uz5/_old 2006-04-20 18:02:59.000000000 +0200 +++ /var/tmp/diff_new_pack.A20Uz5/_new 2006-04-20 18:02:59.000000000 +0200 @@ -17,10 +17,11 @@ Requires: mod_php_any php-mysql php-bz2 php-gd php-zlib php-iconv php-mcrypt php-session Autoreqprov: on Version: 2.8.0.3 -Release: 1 +Release: 4 %define tarversion %{version} Source0: %{name}-%{tarversion}.tar.bz2 Patch1: %{name}-blowfish_secret.patch +Patch2: %{name}-%{version}-CVE-2006-1804.patch URL: http://www.phpMyAdmin.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Administration of MySQL over the web @@ -64,6 +65,7 @@ %prep %setup -q -n %{name}-%{tarversion} %patch1 +%patch2 find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \; find . -type f -name '*.orig' -exec rm {} \; @@ -126,6 +128,10 @@ %verify(not md5 size mtime) %config(noreplace) %{serverroot}%{name}/libraries/blowfish_secret.inc.php %changelog -n phpMyAdmin +* Thu Apr 20 2006 - mmarek@suse.cz +- fixed XSS in sql.php (and other scripts): add a secret token to + each link and form to prevent linking to sql.php from outside + [#165772] (CVE-2006-1804) * Thu Apr 13 2006 - mmarek@suse.cz - updated to 2.8.0.3 * fixes some XSS vulnerabilities ++++++ phpMyAdmin-2.8.0.3-CVE-2006-1804.patch ++++++ Index: import.php =================================================================== RCS file: /cvsroot/phpmyadmin/phpMyAdmin/import.php,v retrieving revision 2.17.2.1 diff -u -r2.17.2.1 import.php --- import.php 31 Jan 2006 21:23:11 -0000 2.17.2.1 +++ import.php 20 Apr 2006 12:49:43 -0000 @@ -47,6 +47,9 @@ // Check needed parameters PMA_checkParameters(array('import_type', 'format')); +// Check authentication token +PMA_checkToken(); + // We don't want anything special in format $format = PMA_securePath($format); Index: sql.php =================================================================== RCS file: /cvsroot/phpmyadmin/phpMyAdmin/sql.php,v retrieving revision 2.83.2.2.2.1 diff -u -r2.83.2.2.2.1 sql.php --- sql.php 23 Feb 2006 17:53:04 -0000 2.83.2.2.2.1 +++ sql.php 20 Apr 2006 12:49:43 -0000 @@ -10,6 +10,9 @@ require_once './libraries/check_user_privileges.lib.php'; require_once './libraries/bookmark.lib.php'; +// Check authentication token +PMA_checkToken(); + /** * Defines the url to return to in case of error in a sql statement */ Index: libraries/session.inc.php =================================================================== RCS file: /cvsroot/phpmyadmin/phpMyAdmin/libraries/session.inc.php,v retrieving revision 2.8.2.2.2.1 diff -u -r2.8.2.2.2.1 session.inc.php --- libraries/session.inc.php 2 Mar 2006 15:28:09 -0000 2.8.2.2.2.1 +++ libraries/session.inc.php 20 Apr 2006 12:49:43 -0000 @@ -101,6 +101,26 @@ @session_start(); /** + * Token which is used for authenticating access queries. + */ +if (!isset($_SESSION['PMA_token'])) { + $_SESSION['PMA_token'] = md5(uniqid(rand(), true)); +} + +/** + * Check whether user supplied token is valid. + */ +function PMA_checkToken($die = true) { + if (!isset($_REQUEST['token']) || $_SESSION['PMA_token'] != $_REQUEST['token']) { + require_once './libraries/header_meta_style.inc.php'; + echo '</head><body><p>Wrong authentication token!</p></body></html>'; + if ($die) { + exit(); + } + } +} + +/** * trys to secure session from hijacking and fixation * should be called before login and after successfull login * (only required if sensitive information stored in session) Index: libraries/url_generating.lib.php =================================================================== RCS file: /cvsroot/phpmyadmin/phpMyAdmin/libraries/url_generating.lib.php,v retrieving revision 2.10 diff -u -r2.10 url_generating.lib.php --- libraries/url_generating.lib.php 19 Jan 2006 15:47:22 -0000 2.10 +++ libraries/url_generating.lib.php 20 Apr 2006 12:49:43 -0000 @@ -64,6 +64,8 @@ $params['collation_connection'] = $GLOBALS['collation_connection']; } + $params['token'] = $_SESSION['PMA_token']; + if (! is_array($skip)) { if (isset($params[$skip])) { unset($params[$skip]); @@ -187,6 +189,8 @@ $params['collation_connection'] = $GLOBALS['collation_connection']; } + $params['token'] = $_SESSION['PMA_token']; + $param_strings = array(); foreach ($params as $key => $val) { $param_strings[] = urlencode($key) . '=' . urlencode($val); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...
participants (1)
-
root@suse.de