| 2023-04-12 14:37:17 |
William Desportes |
bug |
|
|
added bug |
| 2023-04-12 23:46:25 |
Athos Ribeiro |
bug |
|
|
added subscriber Athos Ribeiro |
| 2023-04-14 15:04:52 |
Hans Joachim Desserud |
cve linked |
|
2023-25727 |
|
| 2023-05-02 07:30:42 |
William Desportes |
bug task added |
|
phpmyadmin (Debian) |
|
| 2023-05-02 07:30:59 |
William Desportes |
phpmyadmin (Debian): status |
New |
Fix Released |
|
| 2023-05-02 07:30:59 |
William Desportes |
phpmyadmin (Debian): assignee |
|
William Desportes (williamdes) |
|
| 2023-05-12 13:20:58 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-05-12 13:20:58 |
Athos Ribeiro |
bug task added |
|
phpmyadmin (Ubuntu Jammy) |
|
| 2023-05-12 13:20:58 |
Athos Ribeiro |
nominated for series |
|
Ubuntu Kinetic |
|
| 2023-05-12 13:20:58 |
Athos Ribeiro |
bug task added |
|
phpmyadmin (Ubuntu Kinetic) |
|
| 2023-05-12 13:21:05 |
Athos Ribeiro |
phpmyadmin (Ubuntu): status |
New |
Fix Released |
|
| 2023-05-13 16:44:44 |
Athos Ribeiro |
summary |
[SRU] Fix CVE-2023-25727, PMASA-2023-1 |
XSS vulnerability in drag-and-drop upload (CVE-2023-25727, PMASA-2023-1) |
|
| 2023-05-13 18:10:09 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/phpmyadmin/+git/phpmyadmin/+merge/442796 |
|
| 2023-05-13 18:10:10 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/phpmyadmin/+git/phpmyadmin/+merge/442797 |
|
| 2023-05-13 19:39:49 |
Athos Ribeiro |
description |
[ Impact ]
* And finally a CVE fix for CVE-2023-25727, PMASA-2023-1
Already fixed upstream Debian and released.
[ Test Plan ]
* About CVE-2023-25727
- create a file named `"><img src=x onerror=alert(11)>.sql`
- install phpmyadmin and a local database
- login
- drag and drop the file
- view the uploads and click `Failed` to see the XSS
- apply the patch on `js/dist/drag_drop_import.js` to try it
The real patch applies to the source file that is build at build time
[ Where problems could occur ]
* The CVE if not well applied the code would break when you test the drag and drop
[ Other Info ]
See: https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/2013402 |
[ Impact ]
An authenticated user can trigger an XSS attack by uploading a specially-crafted .sql file through the drag-and-drop interface.
CVE-2023-25727, PMASA-2023-1
[ Test Plan ]
- create a file named `"><img src=x onerror=alert(11)>.sql`
- install phpmyadmin and a local database
- login
- drag and drop the file
- view the uploads and click `Failed` to verify the XSS occurs.
- install the package with the proposed fix
- retry the operation above and verify the XSS no longer occours.
[ Where problems could occur ]
The fix consists in sanitizing user input through the document.createTextNode JS function [1]. As long as the function HTML escaping capabilities are sound and complete, no regressions regarding this CVE should arise. However, a new level of indirection was introduced to perform the html escaping and different browsers may implement the function in different ways, which may result in unaccounted bugs being filed in the future.
[1] https://developer.mozilla.org/en-US/docs/Web/API/Document/createTextNode
[ Other Info ]
This has been fixed since lunar.
- https://www.phpmyadmin.net/security/PMASA-2023-1/
- https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/2013402 |
|
| 2023-08-07 15:34:53 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/phpmyadmin/+git/phpmyadmin/+merge/448616 |
|
| 2023-08-07 16:38:16 |
Athos Ribeiro |
phpmyadmin (Ubuntu Kinetic): status |
New |
Won't Fix |
|
| 2023-08-07 16:38:20 |
Athos Ribeiro |
phpmyadmin (Ubuntu Jammy): status |
New |
In Progress |
|
| 2023-08-07 16:38:48 |
Athos Ribeiro |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-08-23 03:20:24 |
Chris Halse Rogers |
phpmyadmin (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2023-08-23 03:20:27 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
| 2023-08-23 03:20:31 |
Chris Halse Rogers |
tags |
|
verification-needed verification-needed-jammy |
|
| 2023-09-28 13:06:01 |
Andreas Hasenack |
tags |
verification-needed verification-needed-jammy |
verification-failed-jammy verification-needed |
|
| 2023-12-13 04:59:40 |
Chris Halse Rogers |
phpmyadmin (Ubuntu Jammy): status |
Fix Committed |
Confirmed |
|
| 2023-12-13 04:59:44 |
Chris Halse Rogers |
removed subscriber SRU Verification |
|
|
|
| 2023-12-13 04:59:49 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
