phpMyAdmin: CVE-2009-1151: Arbitrary code execution

Confirmed vulnerable version was:-

  Version table:
     4:2.8.1-1~dapper1 0
        500 http://gb.archive.ubuntu.com dapper-backports/universe Packages

Upstream have provided a patch to fix this bug: http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php

This bug has so far resulted in at least 4 exploited servers, though luckily so far apparently only by idiot script kiddies unable to get past the shell at www-data.

We have been using the mitigation of changing the permissions in the relevant place, but it would be nice not to have to do so.

Attached is a patch from upstream SVN which claims to fix this for Hardy. Unfortunately, I've been unable to reproduce the problem locally, so testing would be appreciated.

I have also built a binary package with the patch included and have placed it here: http://spooky.ubuntuwire.com/~jpds/phpmyadmin_2.11.3-1ubuntu1.2_all.deb

This bug was fixed in the package phpmyadmin - 4:2.11.3-1ubuntu1.2

---------------
phpmyadmin (4:2.11.3-1ubuntu1.2) hardy-security; urgency=low

  [ Jonathan Davies ]
  * SECURITY UPDATE: Insufficient output sanitizing when generating
    configuration file (LP: #387215).
    - debian/patches/053_CVE-2009-1151.dpatch: Added. Do not output unescaped
      chars to generated configuration file. Patch from upstream SVN revision
      12301.
    - References:
      + CVE-2009-1151
      + PMASA-2009-3

  [ Marc Deslauriers ]
  * SECURITY UPDATE: authorization bypass via cross-site request forgery
    - debian/patches/054_CVE-2008-3197.dpatch: use a token in index.php,
      js/querywindow.js and libraries/footer.inc.php. Use a "new_db"
      parameter in db_create.php, libraries/common.inc.php and
      libraries/display_create_database.lib.php.
    - CVE-2008-3197
  * SECURITY UPDATE: spoofing or fishing via cross-site framing attack
    (LP: #259839)
    - debian/patches/055_CVE-2008-3456.dpatch: Introduce new
      AllowThirdPartyFraming configuration boolean that allows phpMyAdmin
      to be included from a document located on another domain.
    - CVE-2008-3456
  * SECURITY UPDATE: code injection via cross-site scripting in setup.php
    (LP: #259839)
    - debian/patches/056_CVE-2008-3457.dpatch: clean $val[1] in
      scripts/setup.php.
    - CVE-2008-3457
  * SECURITY UPDATE: remote code execution via PHP sequences in sort_by
    parameter
    - debian/patches/057_CVE-2008-4096.dpatch: add new
      PMA_usort_comparison_callback in libraries/database_interface.lib.php
    - CVE-2008-4096
  * SECURITY UPDATE: cross-site scripting via NUL byte
    - debian/patches/058_CVE-2008-4326.dpatch: remove NUL bytes in
      libraries/js_escape.lib.php.
    - CVE-2008-4326
  * SECURITY UPDATE: cross-site scripting in pmd_pdf.php when
    register_globals is enabled
    - debian/patches/059_CVE-2008-4775.dpatch: use
      PMA_generate_common_hidden_inputs in pmd_pdf.php.
    - CVE-2008-4775
  * SECURITY UPDATE: code execution via CSRF vulnerability (LP: #306699)
    - debian/patches/060_CVE-2008-5621.dpatch: use PMA_backquote instead of
      PMA_sqlAddslashes in libraries/db_table_exists.lib.php.
    - CVE-2008-5621
  * SECURITY UPDATE: code injection via multiple cross-site scripting
    vulnerabilities in display_export.lib.php
    - debian/patches/061_CVE-2009-1150.dpatch: strip special chars in
      libraries/display_export.lib.php.
    - CVE-2009-1150

 -- Marc Deslauriers <email address hidden> Sun, 05 Jul 2009 11:29:29 -0400

Yay, thankyou :-)

phpmyadmin (4:2.11.8.1-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: remote code execution via PHP sequences in sort_by
    parameter
    - debian/patches/041-security-CVE-2008-4096.dpatch: add new
      PMA_usort_comparison_callback in libraries/database_interface.lib.php
    - CVE-2008-4096
  * SECURITY UPDATE: cross-site scripting via NUL byte
    - debian/patches/042-security-CVE-2008-4326.dpatch: remove NUL bytes
      in libraries/js_escape.lib.php.
    - CVE-2008-4326
  * SECURITY UPDATE: cross-site scripting in pmd_pdf.php when
    register_globals is enabled
    - debian/patches/043-security-CVE-2008-4775.dpatch: use
      PMA_generate_common_hidden_inputs in pmd_pdf.php.
    - CVE-2008-4775
  * SECURITY UPDATE: code execution via CSRF vulnerability (LP: #306699)
    - debian/patches/044-security-CVE-2008-5621.dpatch: use PMA_backquote
      instead of PMA_sqlAddslashes in libraries/db_table_exists.lib.php.
    - CVE-2008-5621
  * SECURITY UPDATE: code injection via multiple cross-site scripting
    vulnerabilities in display_export.lib.php
    - debian/patches/045-security-CVE-2009-1150.dpatch: strip special chars
      in libraries/display_export.lib.php.
    - CVE-2009-1150
  * SECURITY UPDATE: code injection from PHP code in a configuration file
    via the save action.
    - debian/patches/046-security-CVE-2009-1151.dpatch: filter $key in
      scripts/setup.php.
    - CVE-2009-1151

 -- Marc Deslauriers <email address hidden> Sun, 05 Jul 2009 10:16:05 -0400

phpmyadmin (4:3.1.2-1ubuntu0.1) jaunty-security; urgency=low

  * SECURITY UPDATE: arbitrary file disclosure via directory traversal in
    bs_disp_as_mime_type.php
    - debian/patches/041-security-CVE-2009-1148.dpatch: check parameters
      before using in bs_disp_as_mime_type.php.
    - CVE-2009-1148
  * SECURITY UPDATE: arbitrary HTTP headers injection via CRLF injection in
    bs_disp_as_mime_type.php
    - Fixed in the CVE-2009-1148 patch
    - CVE-2009-1149
  * SECURITY UPDATE: code injection via multiple cross-site scripting
    vulnerabilities in display_export.lib.php
    - debian/patches/042-security-CVE-2009-1150.dpatch: strip special chars
      in libraries/display_export.lib.php.
    - CVE-2009-1150
  * SECURITY UPDATE: code injection via configuration files
    - debian/patches/043-security-CVE-2009-1285.dpatch: clean up key names
      in setup/lib/ConfigFile.class.php.
    - CVE-2009-1285
  * SECURITY UPDATE: code injection via cross-site scripting from crafted
    SQL bookmark
    - debian/patches/044-security-CVE-2009-2284.dpatch: strip special
      characters in libraries/common.lib.php and sql.php.
    - CVE-2009-2284

 -- Marc Deslauriers <email address hidden> Sun, 05 Jul 2009 09:50:12 -0400

Marking Confirmed per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue since this is not a sync.

Dapper ACK'd

Actually, from my merge comment:
"Actually, the debian/patches/series file is not needed (it was mistakenly added in the last security update). I removed it.

More importantly, because you used a .dpatch extension, the patch didn't apply. I renamed it to use .patch."

I went ahead and took care of this and will upload soon.

phpmyadmin (4:2.8.0.3-1ubuntu0.2) dapper-security; urgency=low

  * SECURITY UPDATE: Insufficient output sanitizing when generating
    configuration file (LP: #387215).
    - debian/patches/051_CVE-2009-1151.patch: Do not output unescaped
      chars to generated configuration file. Patch from upstream SVN revision
      12301.
    - References:
      + CVE-2009-1151
      + PMASA-2009-3
  * removed unused debian/patches/series file