[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66

Hi Brian!

On 2016-12-16 03:44:51, Brian May wrote:
> I have patched a number of vulnerabilities in phpmyadmin in wheezy;
> there is a version available for testing at
> https://people.debian.org/~bam/debian/pool/main/p/phpmyadmin/

I haven't tested the package, but have reviewed your work, below.

> Not sure I entirely like the supplied fix from upstream for
> CVE-2016-4412 / PMASA-2016-57 - the included whitelist in
> PMA_isAllowedDomain has a number of domains included (because we use
> url.php to link to these domains, e.g. for external links to
> documentation). I see that the latest 4.6.5.1 version does the same
> thing.
>
> The included isAllowedDomain does not include some checks that are in
> later versions:
>
>     $arr = parse_url($url);
>     // We need host to be set
>     if (! isset($arr['host']) || strlen($arr['host']) == 0) {
>         return false;
>     }
>     // We do not want these to be present
>     $blocked = array('user', 'pass', 'port');
>     foreach ($blocked as $part) {
>         if (isset($arr[$part]) && strlen($arr[$part]) != 0) {
>             return false;
>         }
>     }
>
> It makes me nervous that these checks might be important.

I do think they are.

> I think I will need to revise CVE-2016-9861 / PMASA-2016-66 again,
> because it covers the same code. As CVE-2016-9861 / PMASA-2016-66 is
> considered a security issue, that implies the above checks are important
> for security. For reasons I don't entirely understand right now.

CVE-2016-9861 seems to be about a bypass of previous checks by using
false values in the "host" bit, for example. It consists of the
following patch:

https://github.com/phpmyadmin/phpmyadmin/commit/af7c589

This code was introduced in:

https://github.com/phpmyadmin/phpmyadmin/commit/e8c5cab3c117e68a0d837319e0e83bdfc50be1fb

To fix CVE-2016-6626 which was marked as "not-affected" in wheezy
because "vulnerable code not present"... 

That said, I still think you should include them for the fix to be
complete. In the process, you could mark CVE-2016-6626 as affected as
well. :)

> The debdiff is below:

I have reviewed the diff summarily for logic errors and things seem fine
otherwise noted below.

> +--- a/url.php
> ++++ b/url.php
> ++    // JavaScript redirection is necessary. Because if header() is used
> ++    //  then web browser sometimes does not change the HTTP_REFERER
> ++    //  field and so with old URL as Referer, token also goes to
> ++    //  external site.

I haven't reviewed the whole code - but this actually works? Doesn't
this assume the token isn't passed to the url.php file?


-- 
A people that elect corrupt politicians, imposters, thieves & traitors
are not victims... but accomplices.
                        - George Orwell
Reply to: