security - phpmyadmin-2.6.2-rc1

C

Chrysalis

Verified User
Joined
Aug 25, 2004
Messages
1,587
Location
uk
phpMyAdmin "convcharset" Cross-Site Scripting Vulnerability

Input passed to the "convcharset" parameter in "index.php" isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of a vulnerable site.

The vulnerability has been reported in versions prior to 2.6.2-rc1.

SOLUTION:
Update to version 2.6.2-rc1 or later.
 
hehehe it isnt that hard, i will made a tut for it in few minutes :)
 
First a note:

Your phpMyAdmin folder can be phpmyadmin or PHPMyAdmin, it is just like you have it on your server. You can execute 'ls -al' to see the phpmyadmin name in lightblue. I cant give support on how to find the current folder, its too simple!

The process:

Code: 
# cd /var/www/html/
# wget [url]http://mesh.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.6.2-rc1.tar.gz[/url]
# tar zxf phpMyAdmin-2.6.2-rc1.tar.gz
# cd phpMyAdmin-2.6.2-rc1
# pico config.inc.php (and edit it like you want, set the $cfg['PmaAbsoluteUri'] = 'http://www.myhost.com/phpMyAdmin/'; to the url where your phpmyadmin is located..

Maybe also put some lower HTTP authentication on with:
$cfg['Servers'][$i]['auth_type']     = 'http';    // Authentication method (config, http or cookie based)?

and leave the rest as it is. save and exit.
# cd ..
# rm -f phpMyAdmin (this is the symlink, can also have another name like lowercase characters!)
# ln -s /var/www/html/phpMyAdmin-2.6.2-rc1/ phpMyAdmin

Code and customises can vary, its just too simple to make a tutorial for. This is just some BASIC knowledge :)

It IS possible to delete the old folder on your server without any further problems just as the new .tar.gz file (only if the new version works!!).

Plugin
 
hmm, ok
i already have the symlink to 2.6.1 in var/www/html, but when i go to domain.com/phpMyAdmin i still see version 2.5.4

PHP: 
lrwxrwxrwx    1 root     root           16 Mar 24 00:11 phpMyAdmin -> phpMyAdmin-2.6.1
 
the 2.5.4 is the version that came with original install:
i see lots of differences in the config.inc.php:
2.5.4:
PHP: 
 */
$cfg['PmaAbsoluteUri'] = (!empty($_SERVER['HTTPS']) ? 'https' : 'http') . '://'
                       . $_SERVER['HTTP_HOST']
//                       . (!empty($_SERVER['SERVER_PORT']) ? ':' . $_SERVER['SERVER_PORT'] : '')
                       . substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/')+1);



/**
 * Disable the default warning about $cfg['PmaAbsoluteUri'] not being set
 * You should use this if and ONLY if the PmaAbsoluteUri auto-detection
 * works perfectly.
 */
$cfg['PmaAbsoluteUri_DisableWarning'] = FALSE;

/**
 * Disable the default warning that is displayed on the DB Details Structure page if
 * any of the required Tables for the relationfeatures could not be found
 */
$cfg['PmaNoRelation_DisableWarning']  = FALSE;

2.6.2
PHP: 
 */
$cfg['PmaAbsoluteUri'] = '';


/**
 * Disable the default warning about $cfg['PmaAbsoluteUri'] not being set
 * You should use this if and ONLY if the PmaAbsoluteUri auto-detection
 * works perfectly.
 */
$cfg['PmaAbsoluteUri_DisableWarning'] = FALSE;

/**
 * Disable the default warning that is displayed on the DB Details Structure page if
 * any of the required Tables for the relationfeatures could not be found
 */
$cfg['PmaNoRelation_DisableWarning']  = FALSE;
 
sander815 said:
hmm, ok
i already have the symlink to 2.6.1 in var/www/html, but when i go to domain.com/phpMyAdmin i still see version 2.5.4

PHP: 
lrwxrwxrwx    1 root     root           16 Mar 24 00:11 phpMyAdmin -> phpMyAdmin-2.6.1
Click to expand...

Thats what i told you to do, rm -f phpMyAdmin , so delete the symlink and remake it for the new folder. Refresh your browserpage, or restart the httpd service if it is still not working. Also make sure that in your /etc/httpd/conf/httpd.conf the /phpMyAdmin/ is not redirecting to your /phpMyAdmin-2.5.4/ folder but to the /phpMyAdmin/ symlink ;)


The differences are complete normal. Just use the new configuration file :)
 
Last edited:
plugin said:
Thats what i told you to do, rm -f phpMyAdmin , so delete the symlink and remake it for the new folder. Refresh your browserpage, or restart the httpd service if it is still not working. Also make sure that in your /etc/httpd/conf/httpd.conf the /phpMyAdmin/ is not redirecting to your /phpMyAdmin-2.5.4/ folder but to the /phpMyAdmin/ symlink ;)


The differences are complete normal. Just use the new configuration file :)
Click to expand...

ok, error was in the httpd.conf file
 
You must log in or register to reply here.
Back
Top