Bug#339437: PMASA-2005-6 when "register_globals = on"

Piotr Roszatycki Wed, 16 Nov 2005 09:18:07 -0800

Dnia Wednesday 16 of November 2005 13:17, Martin Schulze napisał:
> > Vuln 1:
> > Full Path Disclosures in the following files:
>
> > Vuln 2:
> > Http Response Splitting in libraries/header_http.inc.php
>
> Do you know if this is the same vulnerability as the first one above?


The Full Path Disclosure is not fixed currently by upstream and I think it is 
not important for Debian version.

I'm attaching the patch for sarge.

Additionaly, I've fixed the important bug #324318. Please, include the patch 
for this bug to stable release. The patch doesn't change program 
functionality and resolve more problems with bad configration file which are 
not reported to BTS.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:[EMAIL PROTECTED]
`. `'     mailto:[EMAIL PROTECTED]
  `-

=== debian/changelog
==================================================================
--- debian/changelog	(revision 373)
+++ debian/changelog	(local)
@@ -1,3 +1,19 @@
+phpmyadmin (4:2.6.2-3sarge2) stable-security; urgency=high
+
+  * Security fix: HTTP Response Splitting vulnerability.
+    See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6
+    See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3621
+    Closes: #339437.
+
+  * New 104-bug_PMASA-2005-6.patch:
+    - Fixes HTTP Response Splitting vulnerability.
+  * New 105-bug_debian_324318.patch:
+    - Always set the default configuration values, even if the config.inc.php
+      file seems to be up to date. This fix allows to utilise more than three
+      databases. Closes: #324318.
+
+ -- Piotr Roszatycki <[EMAIL PROTECTED]>  Wed, 16 Nov 2005 17:49:13 +0100
+
 phpmyadmin (4:2.6.2-3sarge1) stable-security; urgency=high
 
   * NMU by security team to fix several vulnerabilities.  Patch provided
=== debian/patches/104-bug_PMASA-2005-6.patch
==================================================================
--- debian/patches/104-bug_PMASA-2005-6.patch	(revision 373)
+++ debian/patches/104-bug_PMASA-2005-6.patch	(local)
@@ -0,0 +1,79 @@
+diff -Nru phpMyAdmin-2.6.4-pl3/libraries/db_table_exists.lib.php phpMyAdmin-2.6.4-pl4/libraries/db_table_exists.lib.php
+--- phpMyAdmin-2.6.4-pl3/libraries/db_table_exists.lib.php	2004-10-19 21:51:54.000000000 +0200
++++ phpMyAdmin-2.6.4-pl4/libraries/db_table_exists.lib.php	2005-11-15 16:21:47.000000000 +0100
+@@ -12,7 +12,7 @@
+         $is_db = @PMA_DBI_select_db($db);
+     }
+     if (empty($db) || !$is_db) {
+-        if (!isset($is_transformation_wrapper)) {
++        if (!defined('IS_TRANSFORMATION_WRAPPER')) {
+             PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . 'main.php?' . PMA_generate_common_url('', '', '&') . (isset($message) ? '&message=' . urlencode($message) : '') . '&reload=1');
+         }
+         exit;
+@@ -26,7 +26,7 @@
+     if (empty($table)
+         || !($is_table && @PMA_DBI_num_rows($is_table))) {
+         $redirect = TRUE;
+-        if (!isset($is_transformation_wrapper)) {
++        if (!defined('IS_TRANSFORMATION_WRAPPER')) {
+             $redirect = TRUE;
+             if (!empty($table)) {
+                 PMA_DBI_free_result($is_table);
+diff -Nru phpMyAdmin-2.6.4-pl3/libraries/header_http.inc.php phpMyAdmin-2.6.4-pl4/libraries/header_http.inc.php
+--- phpMyAdmin-2.6.4-pl3/libraries/header_http.inc.php	2004-04-27 14:36:11.000000000 +0200
++++ phpMyAdmin-2.6.4-pl4/libraries/header_http.inc.php	2005-11-15 16:21:47.000000000 +0100
+@@ -5,19 +5,13 @@
+ /**
+  * Sends http headers
+  */
+-// Don't use cache (required for Opera)
+-$ctype = (isset($ctype) ? $ctype : 'html');
+-if ($ctype == 'css') {
+-        header('Content-Type: text/css; charset=ISO-8859-1');
+-} else {
+-    $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
+-    header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
+-    header('Last-Modified: ' . $GLOBALS['now']);
+-    header('Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0'); // HTTP/1.1
+-    header('Pragma: no-cache'); // HTTP/1.0
+-    if (!isset($is_transformation_wrapper)) {
+-        // Define the charset to be used
+-        header('Content-Type: text/' . $ctype . '; charset=' . $GLOBALS['charset']);
+-    }
++$GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
++header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
++header('Last-Modified: ' . $GLOBALS['now']);
++header('Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0'); // HTTP/1.1
++header('Pragma: no-cache'); // HTTP/1.0
++if (!defined('IS_TRANSFORMATION_WRAPPER')) {
++    // Define the charset to be used
++    header('Content-Type: text/html; charset=' . $GLOBALS['charset']);
+ }
+ ?>
+diff -Nru phpMyAdmin-2.6.4-pl3/css/phpmyadmin.css.php phpMyAdmin-2.6.4-pl4/css/phpmyadmin.css.php
+--- phpMyAdmin-2.6.4-pl3/css/phpmyadmin.css.php	2005-08-16 19:49:57.000000000 +0200
++++ phpMyAdmin-2.6.4-pl4/css/phpmyadmin.css.php	2005-11-15 16:21:47.000000000 +0100
+@@ -13,8 +13,8 @@
+ // but only functions used to determine browser heritage.
+ PMA_setFontSizes();
+ 
+-$ctype = 'css';
+-require_once('./libraries/header_http.inc.php');
++// Send correct type:
++header('Content-Type: text/css; charset=ISO-8859-1');
+ 
+ if (!isset($js_frame)) {
+     $js_frame = 'left';
+diff -Nru phpMyAdmin-2.6.4-pl3/transformation_wrapper.php phpMyAdmin-2.6.4-pl4/transformation_wrapper.php
+--- phpMyAdmin-2.6.4-pl3/transformation_wrapper.php	2004-08-21 15:41:41.000000000 +0200
++++ phpMyAdmin-2.6.4-pl4/transformation_wrapper.php	2005-11-15 16:21:47.000000000 +0100
+@@ -1,8 +1,8 @@
+ <?php
+ /* $Id: transformation_wrapper.php,v 2.7 2004/08/21 13:41:41 lem9 Exp $ */
+ // vim: expandtab sw=4 ts=4 sts=4:
+ 
+-$is_transformation_wrapper = true;
++define('IS_TRANSFORMATION_WRAPPER', true);
+ 
+ /**
+  * Get the variables sent or posted to this script and displays the header

Property changes on: debian/patches/104-bug_PMASA-2005-6.patch
___________________________________________________________________
Name: svn:mime-type
 +text/x-patch

=== debian/patches/105-bug_debian_324318.patch
==================================================================
--- debian/patches/105-bug_debian_324318.patch	(revision 373)
+++ debian/patches/105-bug_debian_324318.patch	(local)
@@ -0,0 +1,25 @@
+diff -Nru phpMyAdmin-2.6.2.orig/libraries/common.lib.php phpMyAdmin-2.6.2/libraries/common.lib.php
+--- phpMyAdmin-2.6.2.orig/libraries/common.lib.php	2005-11-16 12:52:16.000000000 +0100
++++ phpMyAdmin-2.6.2/libraries/common.lib.php	2005-11-16 17:43:34.000000000 +0100
+@@ -116,20 +116,8 @@
+ 
+ /**
+  * Includes compatibility code for older config.inc.php revisions
+- * if necessary
+  */
+-if (isset($cfg['FileRevision'])) {
+-    // converting revision string into an array
+-    //     e.g. "Revision: 2.0" becomes array(2, 0).
+-    $cfg['FileRevision'] = str_replace('$' . 'Revision: ', '', $cfg['FileRevision']);
+-    $cfg['FileRevision'] = str_replace(' $', '', $cfg['FileRevision']);
+-    $cfg['FileRevision'] = explode('.', $cfg['FileRevision']);
+-} else {
+-    $cfg['FileRevision'] = array(1, 1);
+-}
+-if ($cfg['FileRevision'][0] < 2 || ($cfg['FileRevision'][0] == 2 && $cfg['FileRevision'][1] < 48)) {
+-    require_once('./libraries/config_import.lib.php');
+-}
++require_once('./libraries/config_import.lib.php');
+ 
+ /**
+  * Includes the language file if it hasn't been included yet

Property changes on: debian/patches/105-bug_debian_324318.patch
___________________________________________________________________
Name: svn:mime-type
 +text/x-patch

Bug#339437: PMASA-2005-6 when "register_globals = on"

Reply via email to