Ubuntu
phpmyadmin package

XSS vulnerability in drag-and-drop upload (CVE-2023-25727, PMASA-2023-1)

Bug #2016018 reported by William Desportes
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpmyadmin (Debian)
Fix Released
Undecided
William Desportes
phpmyadmin (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Confirmed
Undecided
Unassigned
Kinetic
Won't Fix
Undecided
Unassigned

Bug Description

[ Impact ]

An authenticated user can trigger an XSS attack by uploading a specially-crafted .sql file through the drag-and-drop interface.

CVE-2023-25727, PMASA-2023-1

[ Test Plan ]

   - create a file named `"><img src=x onerror=alert(11)>.sql`
   - install phpmyadmin and a local database
   - login
   - drag and drop the file
   - view the uploads and click `Failed` to verify the XSS occurs.
   - install the package with the proposed fix
   - retry the operation above and verify the XSS no longer occours.

[ Where problems could occur ]

 The fix consists in sanitizing user input through the document.createTextNode JS function [1]. As long as the function HTML escaping capabilities are sound and complete, no regressions regarding this CVE should arise. However, a new level of indirection was introduced to perform the html escaping and different browsers may implement the function in different ways, which may result in unaccounted bugs being filed in the future.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Document/createTextNode

[ Other Info ]

This has been fixed since lunar.

- https://www.phpmyadmin.net/security/PMASA-2023-1/
- https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/2013402

See original description

Related branches

~athos-ribeiro/ubuntu/+source/phpmyadmin:wdes-sru-set-jammy
William Desportes (community): Approve
Canonical Server packageset reviewers: Pending requested
Canonical Server Reporter: Pending requested
Diff: 155 lines (+98/-1)
7 files modified
debian/NEWS (+11/-0)
debian/changelog (+14/-0)
debian/conf/apache.conf (+6/-0)
debian/control (+2/-1)
debian/patches/CVE-2023-25727.patch (+24/-0)
debian/patches/Require-PHP-8.0.patch (+39/-0)
debian/patches/series (+2/-0)
~athos-ribeiro/ubuntu/+source/phpmyadmin:wdes-sru-set-kinetic
William Desportes (community): Approve (diff)
Canonical Server Reporter: Pending requested
Diff: 166 lines (+101/-2)
7 files modified
debian/NEWS (+11/-0)
debian/changelog (+16/-0)
debian/conf/apache.conf (+6/-0)
debian/control (+3/-2)
debian/patches/CVE-2023-25727.patch (+24/-0)
debian/patches/Require-PHP-8.0.patch (+39/-0)
debian/patches/series (+2/-0)
~athos-ribeiro/ubuntu/+source/phpmyadmin:wdes-sru-set-jammy
William Desportes (community): Approve (debdiff)
Canonical Server Reporter: Pending requested
Diff: 155 lines (+98/-1)
7 files modified
debian/NEWS (+11/-0)
debian/changelog (+14/-0)
debian/conf/apache.conf (+6/-0)
debian/control (+2/-1)
debian/patches/CVE-2023-25727.patch (+24/-0)
debian/patches/Require-PHP-8.0.patch (+39/-0)
debian/patches/series (+2/-0)

CVE References

William Desportes (williamdes)
Changed in phpmyadmin (Debian):
assignee: nobody → William Desportes (williamdes)
status: New → Fix Released
Athos Ribeiro (athos-ribeiro)
Changed in phpmyadmin (Ubuntu):
status: New → Fix Released
Athos Ribeiro (athos-ribeiro)
summary: - [SRU] Fix CVE-2023-25727, PMASA-2023-1
+ XSS vulnerability in drag-and-drop upload (CVE-2023-25727, PMASA-2023-1)
Athos Ribeiro (athos-ribeiro)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of phpmyadmin to kinetic-proposed has been rejected from the upload queue for the following reason: "incomplete Recommends fix (LP: #2016017)".

Revision history for this message
Steve Langasek (vorlon) wrote :

An upload of phpmyadmin to jammy-proposed has been rejected from the upload queue for the following reason: "incomplete Recommends fix (LP: #2016017)".

Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Re-uploaded the jammy fix without the recommends patch.

Changed in phpmyadmin (Ubuntu Kinetic):
status: New → Won't Fix
Changed in phpmyadmin (Ubuntu Jammy):
status: New → In Progress
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello William, or anyone else affected,

Accepted phpmyadmin into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/phpmyadmin/4:5.1.1+dfsg1-5ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in phpmyadmin (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

I installed mysql-server, phpmyadmin and libapache2-mod-php.
Then, I browsed to the phpmyadmin login panel at localhost/phpmyadmin and logged in with user phpadmin and the password set during the phpmyadmin installation.
I selected the phpmyadmin database, created the '"><img src=x onerror=alert(11)>.sql'file locally and drag/dropped it into the phpmyadmin page.

A menu popped up in the lower right corner saying the upload failed. When I click in the "Failed" link, the alert JS command is executed and and alert window shows up in the browser, confirming the XSS bug.

At this point, the phpmyadmin version installed is 4:5.1.1+dfsg1-5ubuntu1.

I then upgrade phpmyadmin to the version in -proposed, 4:5.1.1+dfsg1-5ubuntu1.1.

I drag and drop that same file again, and the failed message pops up once again. Once again, when clicking the Failed link, the alert shows up.

I am using Mozilla Firefox 116.0.3 in Ubuntu Mantic.

It seems the patch is not fixing the CVE here.

William, am I missing something here?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Given the previous comment, I'm going to tag this as verification failed.

tags: added: verification-failed-jammy
removed: verification-needed-jammy
Revision history for this message
Chris Halse Rogers (raof) wrote :

The version of phpmyadmin in the proposed pocket of Jammy that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in phpmyadmin (Ubuntu Jammy):
status: Fix Committed → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.