phpMyAdmin "convcharset" Cross-Site Scripting Vulnerability

Input passed to the "convcharset" parameter in "index.php" isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of a vulnerable site.

The vulnerability has been reported in versions prior to 2.6.2-rc1.

SOLUTION:
Update to version 2.6.2-rc1 or later.

Thank you, Chrysalis!

Thanks, installed!

Originally posted by plugin
Thanks, installed!

how did you install it?

hehehe it isnt that hard, i will made a tut for it in few minutes :)

First a note:

Your phpMyAdmin folder can be phpmyadmin or PHPMyAdmin, it is just like you have it on your server. You can execute 'ls -al' to see the phpmyadmin name in lightblue. I cant give support on how to find the current folder, its too simple!

The process:


# cd /var/www/html/
# wget http://mesh.dl.sourceforge.net/sourceforge/phpmyadmin/phpMyAdmin-2.6.2-rc1.tar.gz
# tar zxf phpMyAdmin-2.6.2-rc1.tar.gz
# cd phpMyAdmin-2.6.2-rc1
# pico config.inc.php (and edit it like you want, set the $cfg['PmaAbsoluteUri'] = 'http://www.myhost.com/phpMyAdmin/'; to the url where your phpmyadmin is located..

Maybe also put some lower HTTP authentication on with:
$cfg['Servers'][$i]['auth_type'] = 'http'; // Authentication method (config, http or cookie based)?

and leave the rest as it is. save and exit.
# cd ..
# rm -f phpMyAdmin (this is the symlink, can also have another name like lowercase characters!)
# ln -s /var/www/html/phpMyAdmin-2.6.2-rc1/ phpMyAdmin


Code and customises can vary, its just too simple to make a tutorial for. This is just some BASIC knowledge :)

It IS possible to delete the old folder on your server without any further problems just as the new .tar.gz file (only if the new version works!!).

Plugin

hmm, ok
i already have the symlink to 2.6.1 in var/www/html, but when i go to domain.com/phpMyAdmin i still see version 2.5.4


lrwxrwxrwx 1 root root 16 Mar 24 00:11 phpMyAdmin -> phpMyAdmin-2.6.1

the 2.5.4 is the version that came with original install:
i see lots of differences in the config.inc.php:
2.5.4:

*/
$cfg['PmaAbsoluteUri'] = (!empty($_SERVER['HTTPS']) ? 'https' : 'http') . '://'
. $_SERVER['HTTP_HOST']
// . (!empty($_SERVER['SERVER_PORT']) ? ':' . $_SERVER['SERVER_PORT'] : '')
. substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/')+1);



/**
* Disable the default warning about $cfg['PmaAbsoluteUri'] not being set
* You should use this if and ONLY if the PmaAbsoluteUri auto-detection
* works perfectly.
*/
$cfg['PmaAbsoluteUri_DisableWarning'] = FALSE;

/**
* Disable the default warning that is displayed on the DB Details Structure page if
* any of the required Tables for the relationfeatures could not be found
*/
$cfg['PmaNoRelation_DisableWarning'] = FALSE;





2.6.2

*/
$cfg['PmaAbsoluteUri'] = '';


/**
* Disable the default warning about $cfg['PmaAbsoluteUri'] not being set
* You should use this if and ONLY if the PmaAbsoluteUri auto-detection
* works perfectly.
*/
$cfg['PmaAbsoluteUri_DisableWarning'] = FALSE;

/**
* Disable the default warning that is displayed on the DB Details Structure page if
* any of the required Tables for the relationfeatures could not be found
*/
$cfg['PmaNoRelation_DisableWarning'] = FALSE;

Originally posted by sander815
hmm, ok
i already have the symlink to 2.6.1 in var/www/html, but when i go to domain.com/phpMyAdmin i still see version 2.5.4


lrwxrwxrwx 1 root root 16 Mar 24 00:11 phpMyAdmin -> phpMyAdmin-2.6.1


Thats what i told you to do, rm -f phpMyAdmin , so delete the symlink and remake it for the new folder. Refresh your browserpage, or restart the httpd service if it is still not working. Also make sure that in your /etc/httpd/conf/httpd.conf the /phpMyAdmin/ is not redirecting to your /phpMyAdmin-2.5.4/ folder but to the /phpMyAdmin/ symlink ;)


The differences are complete normal. Just use the new configuration file :)

Originally posted by plugin
Thats what i told you to do, rm -f phpMyAdmin , so delete the symlink and remake it for the new folder. Refresh your browserpage, or restart the httpd service if it is still not working. Also make sure that in your /etc/httpd/conf/httpd.conf the /phpMyAdmin/ is not redirecting to your /phpMyAdmin-2.5.4/ folder but to the /phpMyAdmin/ symlink ;)


The differences are complete normal. Just use the new configuration file :)

ok, error was in the httpd.conf file