From d7cffc5dbde68342d46e891ea2c8bd72de134f43 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Sat, 2 Jul 2011 23:43:25 +0200 Subject: [PATCH 01/10] Reverted some missing special chars in Changelog --- ChangeLog | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index fe7103128..350b7ab29 100644 --- a/ChangeLog +++ b/ChangeLog @@ -95,7 +95,7 @@ phpMyAdmin - ChangeLog + patch #2974341 [structure] Clicking on table name in db Structure should Browse the table if possible, thanks to bhdouglass - dougboybhd + patch #2975533 [search] New search operators, thanks to - Martynas Mickevičius + Martynas Mickevičius + patch #2967320 [designer] Colored relations based on the primary key, thanks to GreenRover - greenrover - [core] Provide way for vendors to easily change paths to config files. @@ -249,7 +249,7 @@ phpMyAdmin - ChangeLog 3.3.7.0 (2010-09-07) - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after - a page size increase, thanks to Martin Schönberger - mad05 + a page size increase, thanks to Martin Schönberger - mad05 3.3.6.0 (2010-08-28) - bug #3033063 [core] Navi gets wrong db name @@ -270,7 +270,7 @@ phpMyAdmin - ChangeLog 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of - databases, thanks to Stéphane Pontier - shadow_walker + databases, thanks to Stéphane Pontier - shadow_walker - bug #3022705 [import] Import button does not work in Catalan when there is no progress bar possible - bug [replication] Do not offer information_schema in the list of databases @@ -310,9 +310,9 @@ phpMyAdmin - ChangeLog - patch #2984893 [engines] InnoDB storage page emits a warning, thanks to Madhura Jayaratne - madhuracj - bug #2974687, bug #2974692 [compatibility] PHPExcel : IBM AIX iconv() does not work, - thanks to Björn Wiberg - bwiberg + thanks to Björn Wiberg - bwiberg - bug #2983066 [interface] Flush table on table operations shows the query twice, - thanks to Martynas Mickevičius - BlinK_ + thanks to Martynas Mickevičius - BlinK_ - bug #2983060, patch #2987900 [interface] Fix initial state of tables in designer, thanks to Sutharshan Balachandren. - bug #2983062, patch #2989408 [engines] Fix warnings when changing table @@ -391,7 +391,7 @@ phpMyAdmin - ChangeLog + rfe #2839504 [engines] Support InnoDB plugin's new row formats + [core] Added ability for synchronizing databases among servers. + [lang] #2843101 Dutch update, thanks to scavenger2008 -+ [lang] Galician update, thanks to Xosé Calvo - xosecalvo ++ [lang] Galician update, thanks to Xosé Calvo - xosecalvo + [export] Added MediaWiki export module, thanks to Derek Schaefer - drummingds1 + [lang] Turkish update, thanks to Burak Yavuz From a0823be05aa5835f207c0838b9cca67d2d9a050a Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 7 Jul 2011 14:39:09 -0400 Subject: [PATCH 02/10] XSS on table Print view --- tbl_printview.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tbl_printview.php b/tbl_printview.php index 74b6818e4..8e8ce24d4 100644 --- a/tbl_printview.php +++ b/tbl_printview.php @@ -84,7 +84,7 @@ foreach ($the_tables as $key => $table) { } $counter++; echo '' . "\n"; - echo '

' . $table . '

' . "\n"; + echo '

' . htmlspecialchars($table) . '

' . "\n"; /** * Gets table informations From 4bd27166c314faa37cada91533b86377f4d4d214 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Thu, 7 Jul 2011 14:43:45 -0400 Subject: [PATCH 03/10] Another case of XSS --- tbl_printview.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tbl_printview.php b/tbl_printview.php index 8e8ce24d4..ce007d163 100644 --- a/tbl_printview.php +++ b/tbl_printview.php @@ -69,7 +69,7 @@ if ($multi_tables) { $tbl_list .= (empty($tbl_list) ? '' : ', ') . PMA_backquote($table); } - echo ''. __('Show tables') . ': ' . $tbl_list . '' . "\n"; + echo ''. __('Show tables') . ': ' . htmlspecialchars($tbl_list) . '' . "\n"; echo '
' . "\n"; } // end if From 951fb4dd79253a3aca8b6e386db77c1affcfc3a9 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 7 Jul 2011 14:46:33 -0400 Subject: [PATCH 04/10] ChangeLog for PMASA-2011-9 --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index fe7103128..49bb8947f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +3.4.3.2 (2011-07-XX) +- [security] Fixed XSS vulnerability, see PMASA-2011-9 + 3.4.3.1 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 From f63e1bb42a37401b2fdfcd2e66cce92b7ea2025c Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Thu, 7 Jul 2011 14:50:37 -0400 Subject: [PATCH 05/10] Local file inclusion vulnerability --- ChangeLog | 1 + sql.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 49bb8947f..065f8411b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ phpMyAdmin - ChangeLog 3.4.3.2 (2011-07-XX) - [security] Fixed XSS vulnerability, see PMASA-2011-9 +- [security] Fixed local file inclusion vulnerability, see PMASA-2011-10 3.4.3.1 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 diff --git a/sql.php b/sql.php index 9b19174a4..eb9254ffd 100644 --- a/sql.php +++ b/sql.php @@ -719,7 +719,7 @@ if (0 == $num_rows || $is_affected) { parse_str($_REQUEST['transform_fields_list'], $edited_values); foreach($mime_map as $transformation) { - $include_file = $transformation['transformation']; + $include_file = PMA_securePath($transformation['transformation']); $column_name = $transformation['column_name']; $column_data = $edited_values[$column_name]; From 3ae58f0cd6b89ad4767920f9b214c38d3f6d4393 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Fri, 8 Jul 2011 21:41:05 +0200 Subject: [PATCH 06/10] [security] Fixed local file inclusion vulnerability and code execution, see PMASA-2011-11 --- ChangeLog | 13 +++++++------ libraries/schema/User_Schema.class.php | 7 +++++-- schema_export.php | 4 +++- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index d4d4f1bf4..232d49945 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ phpMyAdmin - ChangeLog 3.4.3.2 (2011-07-XX) - [security] Fixed XSS vulnerability, see PMASA-2011-9 - [security] Fixed local file inclusion vulnerability, see PMASA-2011-10 +- [security] Fixed local file inclusion vulnerability and code execution, see PMASA-2011-11 3.4.3.1 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 @@ -99,7 +100,7 @@ phpMyAdmin - ChangeLog + patch #2974341 [structure] Clicking on table name in db Structure should Browse the table if possible, thanks to bhdouglass - dougboybhd + patch #2975533 [search] New search operators, thanks to - Martynas Mickevičius + Martynas Mickevičius + patch #2967320 [designer] Colored relations based on the primary key, thanks to GreenRover - greenrover - [core] Provide way for vendors to easily change paths to config files. @@ -253,7 +254,7 @@ phpMyAdmin - ChangeLog 3.3.7.0 (2010-09-07) - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after - a page size increase, thanks to Martin Schönberger - mad05 + a page size increase, thanks to Martin Schönberger - mad05 3.3.6.0 (2010-08-28) - bug #3033063 [core] Navi gets wrong db name @@ -274,7 +275,7 @@ phpMyAdmin - ChangeLog 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of - databases, thanks to Stéphane Pontier - shadow_walker + databases, thanks to Stéphane Pontier - shadow_walker - bug #3022705 [import] Import button does not work in Catalan when there is no progress bar possible - bug [replication] Do not offer information_schema in the list of databases @@ -314,9 +315,9 @@ phpMyAdmin - ChangeLog - patch #2984893 [engines] InnoDB storage page emits a warning, thanks to Madhura Jayaratne - madhuracj - bug #2974687, bug #2974692 [compatibility] PHPExcel : IBM AIX iconv() does not work, - thanks to Björn Wiberg - bwiberg + thanks to Björn Wiberg - bwiberg - bug #2983066 [interface] Flush table on table operations shows the query twice, - thanks to Martynas Mickevičius - BlinK_ + thanks to Martynas Mickevičius - BlinK_ - bug #2983060, patch #2987900 [interface] Fix initial state of tables in designer, thanks to Sutharshan Balachandren. - bug #2983062, patch #2989408 [engines] Fix warnings when changing table @@ -395,7 +396,7 @@ phpMyAdmin - ChangeLog + rfe #2839504 [engines] Support InnoDB plugin's new row formats + [core] Added ability for synchronizing databases among servers. + [lang] #2843101 Dutch update, thanks to scavenger2008 -+ [lang] Galician update, thanks to Xosé Calvo - xosecalvo ++ [lang] Galician update, thanks to Xosé Calvo - xosecalvo + [export] Added MediaWiki export module, thanks to Derek Schaefer - drummingds1 + [lang] Turkish update, thanks to Burak Yavuz diff --git a/libraries/schema/User_Schema.class.php b/libraries/schema/User_Schema.class.php index fbec138de..cb42dde2c 100644 --- a/libraries/schema/User_Schema.class.php +++ b/libraries/schema/User_Schema.class.php @@ -567,10 +567,13 @@ class PMA_User_Schema require_once './libraries/transformations.lib.php'; require_once './libraries/Index.class.php'; /** - * default is PDF + * default is PDF, otherwise validate it's only letters a-z */ global $db,$export_type; - $export_type = isset($export_type) ? $export_type : 'pdf'; + if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) { + $export_type = 'pdf'; + } + PMA_DBI_select_db($db); include("./libraries/schema/".ucfirst($export_type)."_Relation_Schema.class.php"); diff --git a/schema_export.php b/schema_export.php index 0a21d3296..3e1067d55 100644 --- a/schema_export.php +++ b/schema_export.php @@ -37,7 +37,9 @@ include_once("./libraries/schema/Export_Relation_Schema.class.php"); * default is PDF */ global $db,$export_type; -$export_type = isset($export_type) ? $export_type : 'pdf'; +if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) { + $export_type = 'pdf'; +} PMA_DBI_select_db($db); $path = PMA_securePath(ucfirst($export_type)); From e7bb42c002885c2aca7aba4d431b8c63ae4de9b7 Mon Sep 17 00:00:00 2001 From: Herman van Rink Date: Sat, 9 Jul 2011 23:10:23 +0200 Subject: [PATCH 07/10] [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 --- ChangeLog | 1 + libraries/auth/swekey/swekey.auth.lib.php | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 232d49945..c076772bb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ phpMyAdmin - ChangeLog - [security] Fixed XSS vulnerability, see PMASA-2011-9 - [security] Fixed local file inclusion vulnerability, see PMASA-2011-10 - [security] Fixed local file inclusion vulnerability and code execution, see PMASA-2011-11 +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 3.4.3.1 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index c5f613bbd..01f2dcc4c 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -143,7 +143,9 @@ function Swekey_auth_error() return "Internal Error: CA File $caFile not found"; $result = null; - parse_str($_SERVER['QUERY_STRING']); + $swekey_id = $_GET['swekey_id']; + $swekey_otp = $_GET['swekey_otp']; + if (isset($swekey_id)) { unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']); if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) { @@ -166,7 +168,7 @@ function Swekey_auth_error() $result = __('No valid authentication key plugged'); if ($_SESSION['SWEKEY']['CONF_DEBUG']) { - $result .= "
".$swekey_id; + $result .= "
" . htmlspecialchars($swekey_id); } unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file } From 571cdc6ff4bf375871b594f4e06f8ad3159d1754 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Mon, 11 Jul 2011 14:15:19 +0200 Subject: [PATCH 08/10] Pass token along with swekey auth requests --- libraries/auth/swekey/swekey.auth.lib.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php index 01f2dcc4c..8ec5ab4f1 100644 --- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -188,16 +188,16 @@ function Swekey_auth_error() Date: Mon, 11 Jul 2011 21:24:06 -0400 Subject: [PATCH 09/10] Fix broken characters --- ChangeLog | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index c076772bb..dc2956f20 100644 --- a/ChangeLog +++ b/ChangeLog @@ -101,7 +101,7 @@ phpMyAdmin - ChangeLog + patch #2974341 [structure] Clicking on table name in db Structure should Browse the table if possible, thanks to bhdouglass - dougboybhd + patch #2975533 [search] New search operators, thanks to - Martynas Mickevičius + Martynas Mickevičius + patch #2967320 [designer] Colored relations based on the primary key, thanks to GreenRover - greenrover - [core] Provide way for vendors to easily change paths to config files. @@ -255,7 +255,7 @@ phpMyAdmin - ChangeLog 3.3.7.0 (2010-09-07) - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after - a page size increase, thanks to Martin Schönberger - mad05 + a page size increase, thanks to Martin Schönberger - mad05 3.3.6.0 (2010-08-28) - bug #3033063 [core] Navi gets wrong db name @@ -276,7 +276,7 @@ phpMyAdmin - ChangeLog 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of - databases, thanks to Stéphane Pontier - shadow_walker + databases, thanks to Stéphane Pontier - shadow_walker - bug #3022705 [import] Import button does not work in Catalan when there is no progress bar possible - bug [replication] Do not offer information_schema in the list of databases @@ -316,9 +316,9 @@ phpMyAdmin - ChangeLog - patch #2984893 [engines] InnoDB storage page emits a warning, thanks to Madhura Jayaratne - madhuracj - bug #2974687, bug #2974692 [compatibility] PHPExcel : IBM AIX iconv() does not work, - thanks to Björn Wiberg - bwiberg + thanks to Björn Wiberg - bwiberg - bug #2983066 [interface] Flush table on table operations shows the query twice, - thanks to Martynas Mickevičius - BlinK_ + thanks to Martynas Mickevičius - BlinK_ - bug #2983060, patch #2987900 [interface] Fix initial state of tables in designer, thanks to Sutharshan Balachandren. - bug #2983062, patch #2989408 [engines] Fix warnings when changing table @@ -397,7 +397,7 @@ phpMyAdmin - ChangeLog + rfe #2839504 [engines] Support InnoDB plugin's new row formats + [core] Added ability for synchronizing databases among servers. + [lang] #2843101 Dutch update, thanks to scavenger2008 -+ [lang] Galician update, thanks to Xosé Calvo - xosecalvo ++ [lang] Galician update, thanks to Xosé Calvo - xosecalvo + [export] Added MediaWiki export module, thanks to Derek Schaefer - drummingds1 + [lang] Turkish update, thanks to Burak Yavuz From bd63726ee3daf32799f499b61d7cde973d8e8660 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Sat, 23 Jul 2011 08:12:06 -0400 Subject: [PATCH 10/10] 3.4.3.2 release date --- ChangeLog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index dc2956f20..05d5fe505 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,7 @@ phpMyAdmin - ChangeLog ====================== -3.4.3.2 (2011-07-XX) +3.4.3.2 (2011-07-23) - [security] Fixed XSS vulnerability, see PMASA-2011-9 - [security] Fixed local file inclusion vulnerability, see PMASA-2011-10 - [security] Fixed local file inclusion vulnerability and code execution, see PMASA-2011-11