[SRU] add PHP 8 on Apache2 conf & require PHP 8 (LP: #1975892) & CVE-2023-25727 & fix Recommends:
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
phpMyAdmin |
Fix Released
|
Unknown
|
|||
5.1 |
New
|
Undecided
|
William Desportes | ||
phpmyadmin (Debian) |
Fix Released
|
Undecided
|
William Desportes | ||
phpmyadmin (Ubuntu) |
Fix Released
|
Undecided
|
William Desportes | ||
Jammy |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
* The PHP 8 support in Apache2 conf will allow users to have a correct PHP `include_path`
and prevent issues like (https:/
This fix is already upstream Debian and released.
* Forcing PHP 8 is required as users posted their concerns and invade Internet about this subject since then
- See: https:/
- See: https:/
- The packaging of symfony is made so it's impossible to run PHP < 8
* Updating Recommends: will allow users to only have to do `apt install phpmyadmin`
and not end up confused on why the webpage shows PHP source code.
Internet is filled with users asking why there is PHP code displayed.
This update is already upstream Debian and released.
* And finally a CVE fix for CVE-2023-25727, PMASA-2023-1
Already fixed upstream Debian and released.
[ Test Plan ]
* To reproduce the `include_path` bug
- install phpmyadmin and `libapache2-
- browse http://
- See the working UI
- set `php_admin_value open_basedir .` in an Apache2 conf file
of your choice in `/etc/apache2/
- restart Apache2
- refresh the page, error 500 reported at phpMyAdmin issue #18299
- add the config block from my patch
- restart Apache2
- See the working UI
* To reproduce the forced PHP 8 message, install deb sury's PHP 7.4
or an Ubuntu jammy with PHP 7.4 installed and Apache2
and the packages mentioned in https:/
- Now that everything is installed, admire the error 500
- Apply my patch on `libraries/
- Refresh, and see the HTML
Alternative solution, change the `PHP_VERSION_ID < 80000` to `true` and see the HTML.
* To reproduce the "Recommends:" user problem
- new VM
- apt install phpmyadmin
- service apache2 start
- browse http://
- PHP code !
- Install `libapache2-
- You can see the login page
* About CVE-2023-25727
- create a file named `"><img src=x onerror=
- install phpmyadmin and a local database
- login
- drag and drop the file
- view the uploads and click `Failed` to see the XSS
- apply the patch on `js/dist/
The real patch applies to the source file that is build at build time
[ Where problems could occur ]
* If the Apache2 config was in a wrong syntax the server would not start
If it did not work, the reproduction steps would not lead to no more 500 error.
* If "Recommends:" was wrong you would be missing Apache2 by default.
If the recommends allowed you to only have to install the package
and you can see HTML and not PHP code, then it works.
* Users could complain about the change for the PHP 8 version required,
but that would mean they tweaked their distribution in a very weird way to have the symfony packages non buggy.
* The CVE if not well applied the code would break when you test the drag and drop
[ Other Info ]
* Do not forget to install the mbstring extension if it's not already here, this could be your first error 500 reason.
* All the source code was pushed to https:/
Changelog:
* Add PHP 8 support on apache2 conf
* Require PHP >= 8.0 (Ref: LP: #1975892)
* Recommend libapache2-mod-php and not apache2 to avoid
displaying PHP code after the package install.
* Add a patch for CVE-2023-25727, PMASA-2023-1
Changed in phpmyadmin (Ubuntu): | |
assignee: | nobody → William Desportes (williamdes) |
Changed in phpmyadmin: | |
importance: | Unknown → Medium |
Changed in phpmyadmin (Debian): | |
assignee: | nobody → William Desportes (williamdes) |
assignee: | William Desportes (williamdes) → nobody |
status: | New → Fix Released |
assignee: | nobody → William Desportes (williamdes) |
tags: | added: sru-release |
tags: | added: verification-needed-jammy |
tags: | removed: sru-release verification-needed-jammy |
Changed in phpmyadmin (Ubuntu): | |
status: | New → Fix Released |
information type: | Public → Public Security |
Changed in phpmyadmin: | |
importance: | Medium → Unknown |
status: | Unknown → Fix Released |
Pushed on a branch that forks the last ubuntu1 version: https:/ /code.launchpad .net/~williamde s/ubuntu/ +source/ phpmyadmin/ +git/phpmyadmin /+ref/ubuntu/ jammy-stable