Marc Delisle a écrit:
Hi Michal, Good work! except I would remove the references to xine ;)
I can post this in a few hours, as a news item with a reference to Documentation.html where we already have a security section.
Marc
Michal C(ihar( a écrit:
Hi all
I guess we should handle a bit better security issues. These bugs should be announced with a bit more details (like when it is exploitable, which versions are affected and simmilar details). I'd like to have something simmilar, like xine has:
http://xinehq.de/index.php/security/
I wrote how announcement could look like for latest issue. Comments?
phpMyAdmnin security announcement
Announcement-ID: PSA-2004-3
Summary: When specifying specially formatted options to external MIME transformation, an attacker can execute any shell command restricted by privileges of httpd user.
Description: phpMyAdmin allows to use MIME transformations for displaying fields from database. These transformations are not enabled by default (administrator needs to prepare special table for keeping some information and specify it in configuration). One of these transformations allows to pipe field content through external program which needs to be hardcoded in php script. However user can specify parameters to that program and this parameter was not checked for shell meta characters, so attacker could pass there anything from redirection of output to executing any other command.
Severity: In default setup this feature is not enabled and many hosting providers run php in safe mode with disabled exec support, which both make them unaffected by this issue. User also need to be logged in into phpMyAdmin, what limites range of attackers to users of the server, who usually also can execute php code directly, so this possibility doesn't extend his privileges. However this could cause some harm, so we consider this as important.
Affected versions: All releases starting with 2.5.0 up to and including 2.6.0-pl1.
Unaffected versions: All releases older than 2.5.0. CVS HEAD has been fixed. The upcoming 2.6.0-pl2 release.
Solution: If you are vulnerable to this issue, easiest fix is to disable external transformation - just remove file libraries/transformations/text_plain__external.inc.php. The attached patch fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to CVS HEAD or to the next version of xine-ui, which is to be released soon.
For further information and in case of questions, please contact the xine team. Our website is http://www.phpmyadmin.net/
I am not sure if we should talk about "CVS HEAD" in such a message. Maybe just talk about latest CVS version?
Marc
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel