What's this about:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3

The file:
http://voxel.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.6.0-pl3.tar.bz2

thanks

To update:
cd /var/www/html
wget http://aleron.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.6.0-pl3.tar.gz
tar xzf phpMyAdmin-2.6.0-pl3.tar.gz
rm -f phpMyAdmin-2.6.0-pl3.tar.gz
mv phpmyadmin phpmyadminOLD
mv phpMyAdmin-2.6.0-pl3 phpmyadmin
chown -R admin: phpmyadmin
perl -pi -e 's/(..auth_type..\s*=\s*.)config/${1}http/' phpmyadmin/config.inc.php
perl -pi -e 's/(PmaAbsoluteUri_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpmyadmin/config.inc.php
perl -pi -e 's/(PmaNoRelation_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpmyadmin/config.inc.php
Phi1.

Thanks, phi1!

Your instructions helped immensely (as always). :)

My installation, though (FreeBSD 4.9), required a bit of tweaking since mine had a symlink as phpmyadmin and I needed to use a case-sensitive "phpMyAdmin". But your instructions were very easy to follow and it ws a breeze to upgrade.

You're welcome! :D

Phi1.

http://www.exaprobe.com/labs/advisories/esa-2004-1213.html

No fix yet. You can upgrade to the latest rc or wait and pray ;)

thanks updated

Another security problem:

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4

This is probably worse than the previous one ;)

Upgrade to 2.6.1-rc1 or newer.
Desactivate uploads and transformations if possible.

It's the same report ;)

If we disable safe mode in php.ini and enable it via DA for users that need it, would the default folder /var/www/html be running PHP is safe mode? Would users that need it really get safe mode off? Would DA still run fine (plugins, etc.)?

It ain't the same report! It's the same site, but not same report. This is reported TODAY! Read before replying ;)

Reference in the page you posted:
http://www.exaprobe.com/labs/advisories/esa-2004-1213.html

The link I posted:
http://www.exaprobe.com/labs/advisories/esa-2004-1213.html

Hmm....Where is the difference? =)

exaprobe site and phpmyadmin site ;)

Hehehe! ;)

Just used this to update to rc1 incase anyone is interested:#!/bin/bash

cd /var/www/html

VERSION=2.6.1-rc1

wget aleron.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-$VERSION.tar.gz
tar xzf phpMyAdmin-$VERSION.tar.gz
rm -f phpMyAdmin phpMyAdmin-$VERSION.tar.gz

chown -R admin:admin phpMyAdmin-$VERSION
ln -s phpMyAdmin-$VERSION phpMyAdmin

perl -pi -e 's/(..auth_type..\s*=\s*.)config/${1}http/' phpMyAdmin/config.inc.php
perl -pi -e 's/(PmaAbsoluteUri_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpMyAdmin/config.inc.php
perl -pi -e 's/(PmaNoRelation_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpMyAdmin/config.inc.php

exit 0

Excellent! :cool:

Working link now is:

http://belnet.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.6.1-rc2.tar.gz

Originally posted by l0rdphi1
To update:
cd /var/www/html
wget http://aleron.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.6.0-pl3.tar.gz
tar xzf phpMyAdmin-2.6.0-pl3.tar.gz
rm -f phpMyAdmin-2.6.0-pl3.tar.gz
mv phpmyadmin phpmyadminOLD
mv phpMyAdmin-2.6.0-pl3 phpmyadmin
chown -R admin: phpmyadmin
perl -pi -e 's/(..auth_type..\s*=\s*.)config/${1}http/' phpmyadmin/config.inc.php
perl -pi -e 's/(PmaAbsoluteUri_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpmyadmin/config.inc.php
perl -pi -e 's/(PmaNoRelation_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpmyadmin/config.inc.php
Phi1.

I tried this and all way good but it still shows 2.5.0 any ideas?

1. Make sure that everything extracted and moved correctly and that 2.6.0-pl3 is really what is located in the /var/www/html directory.
(No errors when you ran the commands individually)

2. Might want to also make sure that the /var/www/html directory is where it is loading from. It probably is unless you made modifications for phpmyadmin or other default directory changes.

3. What browser are you using? Did you try clearing cookies and cache?

Just a word of warning. rc2 has a nasty bug with compressed exports.

That's why i posted the link to 2.6.1

2.6.1-rc2 IS the one with problems.

Upgrade to 2.6.1-rc1 or newer.
Desactivate uploads and transformations if possible

I think 2.6.1 rc2 is the one you should use..

is the compressed exports bug in 2.6.1-rc2 a security issue or just useability bug?

Just a usability problem. You save a gz file, but it's in fact a plain text file.

Upgrade to 2.6.1 asap. Problems fixed.

When i upgrade to 2.6.1 i only see 2.6.0-pl1

And i have 3 dir's in /var/www/html/

phpmyadmin
phpMyAdmin
phpmyadminOLD

//EDIT

It works.

I've deleted 'phpMyAdmin'
and renamed 'phpmyadmin' to 'phpMyAdmin'

I have a problem after updating. When I now go to phpMyadmin from my user control panel over an ssl connection, I get a popup stating I am attemtping to connect with the server domain but the cert belongs to localhost.local domain. Perhaps this was a problem before I updated phpMyadmin, I'm not sure. Anyone seen this problem before?

Tnx...

Updated! Only one thing....

With the code from l0rdphi1 (tnx for the code by the way!):



#!/bin/bash

cd /var/www/html

VERSION=2.6.1-rc1
URL=aleron.dl.sourceforge.net/sourceforge/phpmyadmin/

wget ${URL}phpMyAdmin-$VERSION.tar.gz
tar xzf phpMyAdmin-$VERSION.tar.gz
rm -f phpMyAdmin phpMyAdmin-$VERSION.tar.gz

chown -R root:root phpMyAdmin-$VERSION
rm -f phpMyAdmin #<- added line
ln -s phpMyAdmin-$VERSION phpMyAdmin

perl -pi -e 's/(..auth_type..\s*=\s*.)config/${1}http/' phpMyAdmin/config.inc.php
perl -pi -e 's/(PmaAbsoluteUri_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpMyAdmin/config.inc.php
perl -pi -e 's/(PmaNoRelation_DisableWarning..\s*=\s*)FALSE/${1}TRUE/' phpMyAdmin/config.inc.php

exit 0



I added a line in the script. The link to the old phpMyadmin is still there and you first have to delete that one......or he will place it in the directory.........That was a problem I encountered.......

Fixed it by deleting the link to the old phpMyAdmin and making a new link to the new one.

Regards,

Dennis

Dennis,

Is the verion not 2.6.1 than 2.6.1-rc1

Hello,

FYI, if you get DA version 1.23.4, the phpMyAdmin.sh script will update for you:

cd /usr/local/directadmin/scripts
./phpMyAdmin.sh

There was also an error relating to the mbstring in php with this version of PMA.. so you can update php by updating your configure.php file and rebuilding php (just follow these directions ;)):
http://help.directadmin.com/item.php?id=26

And on yet anoter side note ;) when you update to php 4.3.10, it needs a new php.ini file, so remove /usr/local/lib/php.ini before doing the "./build all" and the new one included with php 4.3.10 will be installed by the build script. (you'll have to reinstall zend if you use it). The error shows up in squirrelmail and PMA relating to an "illegal offset".

John

Hi,

Ok! tnx John!

Only what is the bug in PMA?? mbstring? when do you get it?

Maybe it is a request but can you also make PHP appear in "System Information"? Like:

PHP 4.3.9 Running

Or maybe we can do it ourselfs?

tnx in advance!

And Crazymouse you can put in anything you like aslong as it is the right version......This was just a example....but you were right..;)

Dennis

Hello,

I'm not even sure what effect the mbstring error had.. something about multibyte characters. I just added the --enable-mbstring to the configure.php.

I'll look into adding php to the system info page.

If you wanted it now, it shouldn't be hard to add.. something like this in the skins:|$/bin/sh
/usr/local/bin/php -v | head -n 1 | cut -d\ -f2
DONE|

John

Hi John,

tnx for the answer.......but it is harder then I thought.

I looked in:
/usr/local/directadmin/data/skins/enhanced

for example and then:

admin/show_services.html

but there I only find some language I never seen.......so can you give me a hint witch file.....or I'll just wait for you to add it in services.....

tnx!

Dennis

You may want to use : --enable-mbstring=all to make sure you get all the encoding that mbstring can manage.