Bug 951960 (CVE-2015-7873) - VUL-1: CVE-2015-7873 phpMyAdmin: Content spoofing on url.php (PMASA-2015-5)
Summary: VUL-1: CVE-2015-7873 phpMyAdmin: Content spoofing on url.php (PMASA-2015-5)
Status: RESOLVED FIXED
Alias: CVE-2015-7873
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P5 - None : Minor
Target Milestone: ---
Assignee: Eric Schirra
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/158253/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-26 09:20 UTC by Andreas Stieger
Modified: 2015-11-08 00:17 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-26 09:20:28 UTC 
Announcement-ID: PMASA-2015-5
Date: 2015-10-23

Summary: Content spoofing vulnerability when redirecting user to an external site

Description: This vulnerability allows an attacker to perform a content spoofing attack using the phpMyAdmin's redirection mechanism to external sites.

Severity: We consider this vulnerability to be non critical since the spoofed content is escaped and no HTML injection is possible.

Affected Versions: Versions 4.4.x (prior to 4.4.15.1) and 4.5.x (prior to 4.5.1) are affected.

Solution: Upgrade to phpMyAdmin 4.4.15.1 or newer, or 4.5.1 or newer or apply patch listed below.
References

Thanks to Lalith Rallabhandi for reporting this vulnerability.

Assigned CVE ids: 2015-7873

CWE ids: CWE-661 CWE-20

Patches
The following commits have been made on the 4.4 branch to fix this issue:
    2b31866fe0b30b867aaf5b5fedb11adb354e037f
The following commits have been made on the 4.5 branch to fix this issue:
    cd097656758f981f80fb9029c7d6b4294582b706

server:php:applications/phpMyAdmin
openSUSE:13.1:Update/phpMyAdmin
openSUSE:13.1:Update/phpMyAdmin
Tumbleweed and Leap 42.1
all at 4.4.15 all affected.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1275108
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7873
Comment 1 Eric Schirra 2015-10-26 10:45:28 UTC 
Fixed. Also request to Factory.
Comment 2 Andreas Stieger 2015-10-26 12:20:10 UTC 
13.1, 13.2 and Leap are still affected.
Comment 3 Andreas Stieger 2015-10-26 12:21:33 UTC 
Thanks for fixing the devel package and Factory/Tumbleweed.

Can you confirm if you are able to make a maintenance submission for the versions maintained in 13.1 and 13.2?
https://en.opensuse.org/openSUSE:Package_maintenance
Comment 4 Eric Schirra 2015-10-29 18:29:02 UTC 
Okay. I have done maintenance submission to 13.1 and 13.2.
Also to Leap 42.1.
Hope it's worked.
Comment 5 Bernhard Wiedemann 2015-10-29 19:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (951960) was mentioned in
https://build.opensuse.org/request/show/341559 13.1 / phpMyAdmin
https://build.opensuse.org/request/show/341560 13.2 / phpMyAdmin
https://build.opensuse.org/request/show/341561 Leap:42.1 / phpMyAdmin
Comment 6 Swamp Workflow Management 2015-11-06 17:13:14 UTC 
openSUSE-SU-2015:1929-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 951960
CVE References: CVE-2015-7873
Sources used:
openSUSE 13.2 (src):    phpMyAdmin-4.4.15.1-17.1
openSUSE 13.1 (src):    phpMyAdmin-4.4.15.1-37.1
Comment 7 Swamp Workflow Management 2015-11-06 17:13:31 UTC 
openSUSE-SU-2015:1930-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 951960
CVE References: CVE-2015-7873
Sources used:
openSUSE Leap 42.1 (src):    phpMyAdmin-4.4.15.1-3.1
Comment 8 Eric Schirra 2015-11-08 00:16:43 UTC 
Packages now in repos.
So i think i can close this bug.