Bug 165772 - VUL-0: phpMyAdmin XSS
VUL-0: phpMyAdmin XSS
Classification: openSUSE
Product: SUSE Linux 10.1
Classification: openSUSE
Component: Network
RC 1
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
CVE-2006-1804: CVSS v2 Base Score: 7....
Depends on:
  Show dependency treegraph
Reported: 2006-04-13 08:04 UTC by Marcus Meissner
Modified: 2009-10-13 21:50 UTC (History)
4 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2006-04-13 08:04:45 UTC

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin
before allow remote attackers to inject arbitrary web script
or HTML via unknown vectors in unspecified scripts in the themes

Comment 1 Cristian Rodríguez 2006-04-13 08:30:15 UTC
petr.. IMHO just upgrade to the current stable version ;-)
Comment 2 Petr Ostadal 2006-04-13 08:39:12 UTC
Cristian, version upgrade can permit only project manager.
Comment 4 Cristian Rodríguez 2006-04-13 09:07:30 UTC
I see phpmyadmin phpMyAdmin-2.7.0pl2-11.src.rpm   in mirrors.
be aware that versions won't work 100% on PHP 5.1.2

see: http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0

(and look at the Fixes for,the second, that was reported by me ;-) )

And A lilte coment, but somewhat off topic, configure PHPadmin to use the mysqli extension by default,the old mysql extension is not really intended to be used with Mysql 5, and can cause problems.
Comment 5 Michal Marek 2006-04-13 09:13:41 UTC
Looks like the XSS only works with register_globals = On (we have Off by
default), but I'm not sure yet.
Comment 7 Cristian Rodríguez 2006-04-13 09:44:30 UTC
@Michal : very likely , but be aware that phpmyadmin do implement some kind of register_globals emulation, to support arcane PHP versions.

the register_globals debacle has ended, it has been removed from the next PHP version as well as safe.mode and magic_quotes_* ( thank god.) 
Comment 11 Ludwig Nussel 2006-04-19 06:41:53 UTC
more phpMyAdmin fun...

+Name: CVE-2006-1803
+Status: Candidate
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1803
+Phase: Assigned (20060417)
+Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin
+2.7.0-pl1 allows remote attackers to inject arbitrary web script or
+HTML via the sql_query parameter.
+Current Votes:
+None (candidate not yet proposed)
+Name: CVE-2006-1804
+Status: Candidate
+URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1804
+Phase: Assigned (20060417)
+SQL injection vulnerability in sql.php in phpMyAdmin 2.7.0-pl1 allows
+remote attackers to execute arbitrary SQL commands via the sql_query
+Current Votes:
+None (candidate not yet pro
Comment 12 Cristian Rodríguez 2006-04-19 07:16:16 UTC
That's why Im saying distro should ship the current version and don't even waste time and resources creating patches..., and again.. the shipped version is not 100% compatible with the PHP version shipped with 10.1--read the PHPmyadmin Changelog...

Since years, I have updated my version from STABLE CVS branch, and never had any problems.(except due the unreliable Sourceforge CVS, but that's another story ;-)  )

Comment 13 Michal Marek 2006-04-19 11:46:20 UTC
Cristian, I already did the upgrade for 10.1:
Comment 18 Ruediger Oertel 2006-04-23 23:01:02 UTC
can I have patchinfo files for this ?
Comment 19 Cristian Rodríguez 2006-04-23 23:07:02 UTC
BTW:.. CVE-2006-1804 isn't a bug, it's a feature. ;-)
since PHpmyadmin is a tool for database adminsitration, it HAVE to execute arbitrary sql on sql.php file, that's the intended behaviuor . he ¡ :-)

you have to be authenticated to use sql.php file, of course.
Comment 20 Petr Ostadal 2006-04-24 10:44:28 UTC
Cristian, the fix is from Michal Cihar (developer of phpMyAdmin), he was employee of SuSE CR.
Comment 21 Michal Marek 2006-04-24 11:34:18 UTC
...and the fix still lets you execute any SQL via PMA, it just checks that the
query comes via a link or form containing a secret token.
Comment 22 Ludwig Nussel 2006-04-24 12:36:16 UTC
What about CVE-2006-1803?
Comment 23 Michal Marek 2006-04-24 13:44:10 UTC
That's also fixed: if the token doesn't match, PMA just outputs an error
message and doesn't display anything else (IOW: $sql_query is displayed iff it
is sent to the mysql server).
Comment 24 Cristian Rodríguez 2006-04-24 22:24:23 UTC
Thanks for explanation folks.
Comment 25 Ludwig Nussel 2006-04-25 07:39:42 UTC
Comment 26 Ludwig Nussel 2006-04-26 15:28:30 UTC
updates released
Comment 27 Thomas Biege 2009-10-13 21:50:22 UTC
CVE-2006-1804: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)