The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 47031] phpMyAdmin security vulnerability

Discussion in 'Database Discussions' started by CoreISP.net, Feb 17, 2011.

  1. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Hi there,

    Please read:
    phpMyAdmin - Security - PMASA-2011-2

    The cPanel installer, even when running the phpmyadmin installer with --force flag, appaers to be installed 3.3.9.0. Which appears to be vulnerable to this attack. 3.3.9.2 or higher has to be installed to fix.

    When will cPanel update this? It is a critical bug and must say I find it strange cPanel has not yet implemented it,. unless it does not apply to us due to the settings.
    Now I have to do it manually on all servers, which takes alot of time extra rather than just running a update script that does the work.

    Thank you
     
    #1 CoreISP.net, Feb 17, 2011
    Last edited: Feb 17, 2011
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    We have an internal case #47031 opened about this issue, which is currently in Quality Assurance testing. One it has passed testing, we will then push PhpMyAdmin 3.3.9.2 into our builds and have it set to be backported it into 11.28.

    Thanks.
     
  3. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Thank you for your response.

    Any idea what timeframe this will be in?
    Afterall, it *is* a critical vulnerability.

    Thanks
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    We are unable to provide an exact timeframe for any case due to the nature of development and quality assurance testing. This specific case is set to "Will Fix" status, which is one of the higher priorities we have for cases. At this point, it is actively being handled and in Quality Assurance for review as previously indicated.

    Please note that you are always welcome to check our changelog at Change Logs to track 11.28 for when case 47031 has been pushed into the existing builds.
     
  5. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Thank you for your response.

    In that case, I think it is best to manually update this to be sure the security issue is patched.
    Cant wait on cPanel and leave a risk in the open if it can be fixed instantly.
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I did want to mention that I did add this forum thread to the case to indicate additional concern about the security issue.
     
  7. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Hello Tristan,

    Thank you for doing so. Hope it will speed up the process a bit.
    Got lots of servers to update :X
     
  8. cPanelDavidN

    cPanelDavidN Integration Developer
    Staff Member

    Joined:
    Dec 17, 2009
    Messages:
    571
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Hi all,

    I would expect our patched tarballs and patch scripts to be release soon. We're verifying that they are free from defect.

    If you feel the need to update your server's deployed PMA application, just make sure and use `patch` with the sources here:

    for 3x family
    PMASA-2011-1
    and
    PMASA-2011-2

    for 2x family
    PMASA-2011-1
    and
    PMASA-2011-2.

    If you completely deploy a new/whole copy of PMA from a tarred/zipped source, it will likely overwrite specific cPanel patches that we apply for integration. ...SO, just apply the security patches to the existing deployed application on your server (/usr/local/cpanel/base/3rdparty/phpMyAdmin) ;)
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Case 47031 has been addressed in version 11.28.85. To see if version 11.28.85 has reached your update tier, visit Downloads - cPanel Inc.
     
Loading...

Share This Page