Ubuntu
phpliteadmin package

XSS vulnerability in row_create

  1. Focal (20.04)
  2. Bug #1964710
Bug #1964710 reported by Nicholas Guriev
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpliteadmin (Ubuntu)
Fix Released
Medium
Unassigned
Bionic
Fix Released
Medium
Unassigned
Focal
Fix Released
Medium
Unassigned
Impish
Won't Fix
Medium
Unassigned
Jammy
Fix Released
Medium
Unassigned

Bug Description

On 21 August 2021, it was publicly reported a little XSS vulnerability in the phpLiteAdmin script packaged in Ubuntu. The following versions of the phpliteadmin package are affected.

 * 1.9.8.2-1 echoes GET parameter newRows to HTML with no properly
   escaping nor conversion.
 * 1.9.7.1-1ubuntu0.1 does similar with POST parameter num.

Upstream bug report: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability

See original description
Tags: bionic focal

CVE References

Revision history for this message
Nicholas Guriev (mymedia) wrote :
Revision history for this message
Nicholas Guriev (mymedia) wrote :
information type: Public → Public Security
Nicholas Guriev (mymedia)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments #1 and #2. I did add the CVE number to the changelog though, to make it easier to track.

I've uploaded packages to the security team PPA here:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Could you please give them a try and once they have been tested, we will publish them.

Thanks!

Revision history for this message
Steve Beattie (sbeattie) wrote :

This was fixed in Jammy (Ubuntu 22.04 LTS pre-release) in phpliteadmin 1.9.8.2-2, closing that task.

Changed in phpliteadmin (Ubuntu Jammy):
status: New → Fix Released
Mathew Hodson (mhodson)
Changed in phpliteadmin (Ubuntu):
importance: Undecided → Medium
Changed in phpliteadmin (Ubuntu Bionic):
importance: Undecided → Medium
Changed in phpliteadmin (Ubuntu Focal):
importance: Undecided → Medium
Changed in phpliteadmin (Ubuntu Impish):
importance: Undecided → Medium
Changed in phpliteadmin (Ubuntu Jammy):
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote (last edit ):

Hi Nicholas,

We are still awaiting the results of testing for the packages in the security team PPA...

Revision history for this message
Nicholas Guriev (mymedia) wrote : Re: [Bug 1964710] Re: XSS vulnerability in row_create

Hello! I have tested the fixes in a virtual machine and here are the
results.

Current version in Impish does not work at all and
1.9.8.2-1ubuntu0.21.10.1 version fixes the problems and is not
vulnerable to the XSS in the newRows parameter. 👍

Current version for Focal is vulnerable and 1.9.8.2-1ubuntu0.20.04.1
fixes the issue. 👍

Although, version in Bionic 1.9.7.1-1ubuntu0.1 has the XSS flaw though
the POST parameter 'num', it is hardly exploitable because of CSRF
protection. An attacker needs to know somehow a token before he could
inject malicious code. In fact, I found other problem with the current
version, the file /etc/apache/conf-available/phpliteadmin.conf contains
"Depends: php7.0" magic comment that is blocking it from automatic
activation by the postinst script. It would be great to replace digit
7.0 with 7.2. Since the original issue is mitigated, let me propose one
more one-liner fix. 🤔

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff in comment #6. I have uploaded it to the security team PPA (with a version bump, since we can't reuse a version number).

Could you test the new bionic package in the PPA here, once it finishes building?
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once you've done testing bionic, I will release them all as updates. Thanks!

Revision history for this message
Nicholas Guriev (mymedia) wrote :

Okay, I retested the phpliteadmin package of version 1.9.7.1-1ubuntu0.3
in bionic. It works out-of-box as expected, the config is activated
automatically on installation.

Eduardo Barretto (ebarretto)
Changed in phpliteadmin (Ubuntu Impish):
status: New → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpliteadmin - 1.9.7.1-1ubuntu0.3

---------------
phpliteadmin (1.9.7.1-1ubuntu0.3) bionic-security; urgency=medium

  * SECURITY UPDATE: cross-site scripting (LP: #1964710)
    - debian/patches/Fix-post-num-XSS.patch:
      Forcibly cast input value to integer. Original fix.
    - CVE-2021-46709
  * Update PHP version to 7.2 in a directive comment for a2enconf(8).

 -- Nicholas Guriev <email address hidden> Sun, 22 May 2022 22:24:22 +0300

Changed in phpliteadmin (Ubuntu Bionic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpliteadmin - 1.9.8.2-1ubuntu0.20.04.1

---------------
phpliteadmin (1.9.8.2-1ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: cross-site scripting (LP: #1964710)
    - debian/patches/Fix-newRows-XSS.patch:
      Forcibly cast input value to integer. Original fix.
    - CVE-2021-46709

 -- Nicholas Guriev <email address hidden> Sun, 13 Mar 2022 16:25:03 +0300

Changed in phpliteadmin (Ubuntu Focal):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.