Created
July 27, 2011 12:32
-
-
Save freemed/1109262 to your computer and use it in GitHub Desktop.
phpmyadmin 3.4.3 to 3.4.3.2 security patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff -uNr phpMyAdmin-3.4.3-all-languages/ChangeLog phpMyAdmin-3.4.3.2-all-languages/ChangeLog | |
--- phpMyAdmin-3.4.3-all-languages/ChangeLog 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/ChangeLog 2011-07-23 08:42:50.000000000 -0400 | |
@@ -1,6 +1,18 @@ | |
phpMyAdmin - ChangeLog | |
====================== | |
+3.4.3.2 (2011-07-23) | |
+- [security] Fixed XSS vulnerability, see PMASA-2011-9 | |
+- [security] Fixed local file inclusion vulnerability, see PMASA-2011-10 | |
+- [security] Fixed local file inclusion vulnerability and code execution, see PMASA-2011-11 | |
+- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 | |
+ | |
+3.4.3.1 (2011-07-02) | |
+- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 | |
+- [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 | |
+- [security] Fixed regexp quoting issue in Synchronize code, see PMASA-2011-7 | |
+- [security] Fixed filtering of a file path, which allowed for directory traversal, see PMASA-2011-8 | |
+ | |
3.4.3.0 (2011-06-27) | |
- bug #3311170 [sync] Missing helper icons in Synchronize | |
- patch #3304473 [setup] Redefine a lable that was wrong | |
diff -uNr phpMyAdmin-3.4.3-all-languages/config.sample.inc.php phpMyAdmin-3.4.3.2-all-languages/config.sample.inc.php | |
--- phpMyAdmin-3.4.3-all-languages/config.sample.inc.php 1969-12-31 19:00:00.000000000 -0500 | |
+++ phpMyAdmin-3.4.3.2-all-languages/config.sample.inc.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -0,0 +1,143 @@ | |
+<?php | |
+/* vim: set expandtab sw=4 ts=4 sts=4: */ | |
+/** | |
+ * phpMyAdmin sample configuration, you can use it as base for | |
+ * manual configuration. For easier setup you can use setup/ | |
+ * | |
+ * All directives are explained in Documentation.html and on phpMyAdmin | |
+ * wiki <http://wiki.phpmyadmin.net>. | |
+ * | |
+ * @package phpMyAdmin | |
+ */ | |
+ | |
+/* | |
+ * This is needed for cookie based authentication to encrypt password in | |
+ * cookie | |
+ */ | |
+$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ | |
+ | |
+/* | |
+ * Servers configuration | |
+ */ | |
+$i = 0; | |
+ | |
+/* | |
+ * First server | |
+ */ | |
+$i++; | |
+/* Authentication type */ | |
+$cfg['Servers'][$i]['auth_type'] = 'cookie'; | |
+/* Server parameters */ | |
+$cfg['Servers'][$i]['host'] = 'localhost'; | |
+$cfg['Servers'][$i]['connect_type'] = 'tcp'; | |
+$cfg['Servers'][$i]['compress'] = false; | |
+/* Select mysqli if your server has it */ | |
+$cfg['Servers'][$i]['extension'] = 'mysql'; | |
+$cfg['Servers'][$i]['AllowNoPassword'] = false; | |
+ | |
+/* | |
+ * phpMyAdmin configuration storage settings. | |
+ */ | |
+ | |
+/* User used to manipulate with storage */ | |
+// $cfg['Servers'][$i]['controluser'] = 'pma'; | |
+// $cfg['Servers'][$i]['controlpass'] = 'pmapass'; | |
+ | |
+/* Storage database and tables */ | |
+// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; | |
+// $cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark'; | |
+// $cfg['Servers'][$i]['relation'] = 'pma_relation'; | |
+// $cfg['Servers'][$i]['table_info'] = 'pma_table_info'; | |
+// $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords'; | |
+// $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages'; | |
+// $cfg['Servers'][$i]['column_info'] = 'pma_column_info'; | |
+// $cfg['Servers'][$i]['history'] = 'pma_history'; | |
+// $cfg['Servers'][$i]['tracking'] = 'pma_tracking'; | |
+// $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords'; | |
+// $cfg['Servers'][$i]['userconfig'] = 'pma_userconfig'; | |
+/* Contrib / Swekey authentication */ | |
+// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf'; | |
+ | |
+/* | |
+ * End of servers configuration | |
+ */ | |
+ | |
+/* | |
+ * Directories for saving/loading files from server | |
+ */ | |
+$cfg['UploadDir'] = ''; | |
+$cfg['SaveDir'] = ''; | |
+ | |
+/** | |
+ * Defines whether a user should be displayed a "show all (records)" | |
+ * button in browse mode or not. | |
+ * default = false | |
+ */ | |
+//$cfg['ShowAll'] = true; | |
+ | |
+/** | |
+ * Number of rows displayed when browsing a result set. If the result | |
+ * set contains more rows, "Previous" and "Next". | |
+ * default = 30 | |
+ */ | |
+//$cfg['MaxRows'] = 50; | |
+ | |
+/** | |
+ * Use graphically less intense menu tabs | |
+ * default = false | |
+ */ | |
+//$cfg['LightTabs'] = true; | |
+ | |
+/** | |
+ * disallow editing of binary fields | |
+ * valid values are: | |
+ * false allow editing | |
+ * 'blob' allow editing except for BLOB fields | |
+ * 'all' disallow editing | |
+ * default = blob | |
+ */ | |
+//$cfg['ProtectBinary'] = 'false'; | |
+ | |
+/** | |
+ * Default language to use, if not browser-defined or user-defined | |
+ * (you find all languages in the locale folder) | |
+ * uncomment the desired line: | |
+ * default = 'en' | |
+ */ | |
+//$cfg['DefaultLang'] = 'en'; | |
+//$cfg['DefaultLang'] = 'de'; | |
+ | |
+/** | |
+ * default display direction (horizontal|vertical|horizontalflipped) | |
+ */ | |
+//$cfg['DefaultDisplay'] = 'vertical'; | |
+ | |
+ | |
+/** | |
+ * How many columns should be used for table display of a database? | |
+ * (a value larger than 1 results in some information being hidden) | |
+ * default = 1 | |
+ */ | |
+//$cfg['PropertiesNumColumns'] = 2; | |
+ | |
+/** | |
+ * Set to true if you want DB-based query history.If false, this utilizes | |
+ * JS-routines to display query history (lost by window close) | |
+ * | |
+ * This requires configuration storage enabled, see above. | |
+ * default = false | |
+ */ | |
+//$cfg['QueryHistoryDB'] = true; | |
+ | |
+/** | |
+ * When using DB-based query history, how many entries should be kept? | |
+ * | |
+ * default = 25 | |
+ */ | |
+//$cfg['QueryHistoryMax'] = 100; | |
+ | |
+/* | |
+ * You can find more configuration options in Documentation.html | |
+ * or here: http://wiki.phpmyadmin.net/pma/Config | |
+ */ | |
+?> | |
diff -uNr phpMyAdmin-3.4.3-all-languages/Documentation.html phpMyAdmin-3.4.3.2-all-languages/Documentation.html | |
--- phpMyAdmin-3.4.3-all-languages/Documentation.html 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/Documentation.html 2011-07-23 08:42:50.000000000 -0400 | |
@@ -9,7 +9,7 @@ | |
<link rel="icon" href="./favicon.ico" type="image/x-icon" /> | |
<link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> | |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> | |
- <title>phpMyAdmin 3.4.3 - Documentation</title> | |
+ <title>phpMyAdmin 3.4.3.2 - Documentation</title> | |
<link rel="stylesheet" type="text/css" href="docs.css" /> | |
</head> | |
@@ -17,7 +17,7 @@ | |
<div id="header"> | |
<h1> | |
<a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a> | |
- 3.4.3 | |
+ 3.4.3.2 | |
Documentation | |
</h1> | |
</div> | |
diff -uNr phpMyAdmin-3.4.3-all-languages/Documentation.txt phpMyAdmin-3.4.3.2-all-languages/Documentation.txt | |
--- phpMyAdmin-3.4.3-all-languages/Documentation.txt 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/Documentation.txt 2011-07-23 08:42:50.000000000 -0400 | |
@@ -1,4 +1,4 @@ | |
-phpMyAdmin 3.4.3 Documentation | |
+phpMyAdmin 3.4.3.2 Documentation | |
* Top | |
* Requirements | |
diff -uNr phpMyAdmin-3.4.3-all-languages/libraries/auth/swekey/swekey.auth.lib.php phpMyAdmin-3.4.3.2-all-languages/libraries/auth/swekey/swekey.auth.lib.php | |
--- phpMyAdmin-3.4.3-all-languages/libraries/auth/swekey/swekey.auth.lib.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/libraries/auth/swekey/swekey.auth.lib.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -143,7 +143,9 @@ | |
return "Internal Error: CA File $caFile not found"; | |
$result = null; | |
- parse_str($_SERVER['QUERY_STRING']); | |
+ $swekey_id = $_GET['swekey_id']; | |
+ $swekey_otp = $_GET['swekey_otp']; | |
+ | |
if (isset($swekey_id)) { | |
unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']); | |
if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) { | |
@@ -166,7 +168,7 @@ | |
$result = __('No valid authentication key plugged'); | |
if ($_SESSION['SWEKEY']['CONF_DEBUG']) | |
{ | |
- $result .= "<br>".$swekey_id; | |
+ $result .= "<br>" . htmlspecialchars($swekey_id); | |
} | |
unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file | |
} | |
@@ -186,16 +188,16 @@ | |
<script> | |
if (key.length != 32) | |
{ | |
- window.location.search="?swekey_id=" + key; | |
+ window.location.search="?swekey_id=" + key + "&token=<?php echo $_SESSION[' PMA_token ']; ?>"; | |
} | |
else | |
{ | |
var url = "" + window.location; | |
if (url.indexOf("?") > 0) | |
url = url.substr(0, url.indexOf("?")); | |
- Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>"); | |
+ Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>&token=<?php echo $_SESSION[' PMA_token ']; ?>"); | |
var otp = Swekey_GetOtp(key, <?php echo '"'.$_SESSION['SWEKEY']['RND_TOKEN'].'"';?>); | |
- window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp; | |
+ window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp + "&token=<?php echo $_SESSION[' PMA_token ']; ?>"; | |
} | |
</script> | |
<?php | |
@@ -263,11 +265,10 @@ | |
} | |
} | |
-if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) | |
+if (!empty($_GET['session_to_unset'])) | |
{ | |
- parse_str($_SERVER['QUERY_STRING']); | |
session_write_close(); | |
- session_id($session_to_unset); | |
+ session_id($_GET['session_to_unset']); | |
session_start(); | |
$_SESSION = array(); | |
session_write_close(); | |
diff -uNr phpMyAdmin-3.4.3-all-languages/libraries/Config.class.php phpMyAdmin-3.4.3.2-all-languages/libraries/Config.class.php | |
--- phpMyAdmin-3.4.3-all-languages/libraries/Config.class.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/libraries/Config.class.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -96,7 +96,7 @@ | |
*/ | |
function checkSystem() | |
{ | |
- $this->set('PMA_VERSION', '3.4.3'); | |
+ $this->set('PMA_VERSION', '3.4.3.2'); | |
/** | |
* @deprecated | |
*/ | |
diff -uNr phpMyAdmin-3.4.3-all-languages/libraries/display_tbl.lib.php phpMyAdmin-3.4.3.2-all-languages/libraries/display_tbl.lib.php | |
--- phpMyAdmin-3.4.3-all-languages/libraries/display_tbl.lib.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/libraries/display_tbl.lib.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -1308,7 +1308,7 @@ | |
if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) { | |
if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) { | |
- $include_file = $GLOBALS['mime_map'][$meta->name]['transformation']; | |
+ $include_file = PMA_securePath($GLOBALS['mime_map'][$meta->name]['transformation']); | |
if (file_exists('./libraries/transformations/' . $include_file)) { | |
$transformfunction_name = str_replace('.inc.php', '', $GLOBALS['mime_map'][$meta->name]['transformation']); | |
diff -uNr phpMyAdmin-3.4.3-all-languages/libraries/schema/User_Schema.class.php phpMyAdmin-3.4.3.2-all-languages/libraries/schema/User_Schema.class.php | |
--- phpMyAdmin-3.4.3-all-languages/libraries/schema/User_Schema.class.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/libraries/schema/User_Schema.class.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -567,10 +567,13 @@ | |
require_once './libraries/transformations.lib.php'; | |
require_once './libraries/Index.class.php'; | |
/** | |
- * default is PDF | |
+ * default is PDF, otherwise validate it's only letters a-z | |
*/ | |
global $db,$export_type; | |
- $export_type = isset($export_type) ? $export_type : 'pdf'; | |
+ if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) { | |
+ $export_type = 'pdf'; | |
+ } | |
+ | |
PMA_DBI_select_db($db); | |
include("./libraries/schema/".ucfirst($export_type)."_Relation_Schema.class.php"); | |
diff -uNr phpMyAdmin-3.4.3-all-languages/libraries/server_synchronize.lib.php phpMyAdmin-3.4.3.2-all-languages/libraries/server_synchronize.lib.php | |
--- phpMyAdmin-3.4.3-all-languages/libraries/server_synchronize.lib.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/libraries/server_synchronize.lib.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -624,7 +624,7 @@ | |
$Create_Query = PMA_DBI_fetch_value("SHOW CREATE TABLE " . PMA_backquote($src_db) . '.' . PMA_backquote($uncommon_tables[$table_index]), 0, 1, $src_link); | |
// Replace the src table name with a `dbname`.`tablename` | |
- $Create_Table_Query = preg_replace('/' . PMA_backquote($uncommon_tables[$table_index]) . '/', | |
+ $Create_Table_Query = preg_replace('/' . preg_quote(PMA_backquote($uncommon_tables[$table_index]), '/') . '/', | |
PMA_backquote($trg_db) . '.' .PMA_backquote($uncommon_tables[$table_index]), | |
$Create_Query, | |
$limit = 1 | |
diff -uNr phpMyAdmin-3.4.3-all-languages/README phpMyAdmin-3.4.3.2-all-languages/README | |
--- phpMyAdmin-3.4.3-all-languages/README 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/README 2011-07-23 08:42:50.000000000 -0400 | |
@@ -1,7 +1,7 @@ | |
phpMyAdmin - Readme | |
=================== | |
-Version 3.4.3 | |
+Version 3.4.3.2 | |
A set of PHP-scripts to manage MySQL over the web. | |
diff -uNr phpMyAdmin-3.4.3-all-languages/RELEASE-DATE-3.4.3 phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3 | |
--- phpMyAdmin-3.4.3-all-languages/RELEASE-DATE-3.4.3 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3 1969-12-31 19:00:00.000000000 -0500 | |
@@ -1 +0,0 @@ | |
-Mon Jun 27 14:24:00 UTC 2011 | |
diff -uNr phpMyAdmin-3.4.3-all-languages/RELEASE-DATE-3.4.3.2 phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3.2 | |
--- phpMyAdmin-3.4.3-all-languages/RELEASE-DATE-3.4.3.2 1969-12-31 19:00:00.000000000 -0500 | |
+++ phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3.2 2011-07-23 08:42:50.000000000 -0400 | |
@@ -0,0 +1 @@ | |
+Sat Jul 23 12:41:41 UTC 2011 | |
diff -uNr phpMyAdmin-3.4.3-all-languages/schema_export.php phpMyAdmin-3.4.3.2-all-languages/schema_export.php | |
--- phpMyAdmin-3.4.3-all-languages/schema_export.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/schema_export.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -37,7 +37,9 @@ | |
* default is PDF | |
*/ | |
global $db,$export_type; | |
-$export_type = isset($export_type) ? $export_type : 'pdf'; | |
+if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) { | |
+ $export_type = 'pdf'; | |
+} | |
PMA_DBI_select_db($db); | |
$path = PMA_securePath(ucfirst($export_type)); | |
diff -uNr phpMyAdmin-3.4.3-all-languages/setup/lib/ConfigGenerator.class.php phpMyAdmin-3.4.3.2-all-languages/setup/lib/ConfigGenerator.class.php | |
--- phpMyAdmin-3.4.3-all-languages/setup/lib/ConfigGenerator.class.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/setup/lib/ConfigGenerator.class.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -39,7 +39,7 @@ | |
if ($cf->getServerCount() > 0) { | |
$ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf; | |
foreach ($c['Servers'] as $id => $server) { | |
- $ret .= '/* Server: ' . strtr($cf->getServerName($id), '*/', '-') . " [$id] */" . $crlf | |
+ $ret .= '/* Server: ' . strtr($cf->getServerName($id) . " [$id] ", '*/', '-') . "*/" . $crlf | |
. '$i++;' . $crlf; | |
foreach ($server as $k => $v) { | |
$k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); | |
diff -uNr phpMyAdmin-3.4.3-all-languages/sql.php phpMyAdmin-3.4.3.2-all-languages/sql.php | |
--- phpMyAdmin-3.4.3-all-languages/sql.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/sql.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -719,7 +719,7 @@ | |
parse_str($_REQUEST['transform_fields_list'], $edited_values); | |
foreach($mime_map as $transformation) { | |
- $include_file = $transformation['transformation']; | |
+ $include_file = PMA_securePath($transformation['transformation']); | |
$column_name = $transformation['column_name']; | |
$column_data = $edited_values[$column_name]; | |
diff -uNr phpMyAdmin-3.4.3-all-languages/tbl_printview.php phpMyAdmin-3.4.3.2-all-languages/tbl_printview.php | |
--- phpMyAdmin-3.4.3-all-languages/tbl_printview.php 2011-06-27 10:25:09.000000000 -0400 | |
+++ phpMyAdmin-3.4.3.2-all-languages/tbl_printview.php 2011-07-23 08:42:50.000000000 -0400 | |
@@ -69,7 +69,7 @@ | |
$tbl_list .= (empty($tbl_list) ? '' : ', ') | |
. PMA_backquote($table); | |
} | |
- echo '<strong>'. __('Show tables') . ': ' . $tbl_list . '</strong>' . "\n"; | |
+ echo '<strong>'. __('Show tables') . ': ' . htmlspecialchars($tbl_list) . '</strong>' . "\n"; | |
echo '<hr />' . "\n"; | |
} // end if | |
@@ -84,7 +84,7 @@ | |
} | |
$counter++; | |
echo '<div' . $breakstyle . '>' . "\n"; | |
- echo '<h1>' . $table . '</h1>' . "\n"; | |
+ echo '<h1>' . htmlspecialchars($table) . '</h1>' . "\n"; | |
/** | |
* Gets table informations |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment