phpMyAdmin 4.7.4 SQL injection vulnerability

  • Hi,


    phpMyAdmin 4.7.4, which is part of my i-MSCP 1.5.3 installation, is affected by an SQL injection vulnerability (CVE-2020-5504).


    What is the upgrading policy or best-practice for 3rd-party apps like pma, ftp, and so on?


    Best regards, Sven.

  • You can manually update the packages. Some changes might brake the installation like mysql 5 to 8 (at least some guys got issues with that).

    So I wouldnt recommend that unless you seriously need to. Its possible that Nuxwin will do something about it.

    But for that exploit to happen, you need a valid account.


    Its located in:

    Code
    1. /var/www/imscp/gui/public/tools/pma

    and

    Code
    1. /etc/imscp/pma

    The second one should be the config only.


    If you want to do an update, backup the files first.

  • First of all thank you for the info I have now installed the latest version of phpmyadmin that is version 5.2 the installation has everything so far. The only thing I got so far is that when I log in I still get the following message to the fore.


    A secret password for encryption must now be set in the configuration file (blowfish_secret).



    I have of course entered this from the old config but it is still showing up.

    I even enabled two-factor authentication with the keys.


    phpmyadmin neu.png

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

  • can anyone post some more details on how to update PMA & Roundcube?

    I can test whether it is just as easy with Roundcube.

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

  • This is what I did so far for updating PhpMyAdmin :

    Maybe some stuff could be improved or might be wrong, didn't checked everything yet.



    Edit : For Roundcube, there seems to be an update script available with the source (./bin/installto.sh /var/www/imscp/gui/public/tools/webmail/).

    I did update from the standard 1.2.5 to latest stable 1.4.3 without trouble (connection still OK, maybe the same trick about CHMOD to do through)

    Here is what I did for Roundcube (remember to do backup first ! including Database)


    Edited 2 times, last by Athar ().

  • So I tested it as you described it, everything works fine except that I can no longer read emails and the calendar no longer works.


    Watch the video because you know what I mean.


    https://recordit.co/AxEojXRARa


    I installed roundcube normally for testing purposes and everything is running there.

    my System :



    - Distribution: Debian | Release: 9.8 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.2.1), Mailgraph (v 1.1.1), OpenDKIM (v 1.1.3), PanelRedirect (v 1.1.5) & SpamAssassin (v 1.1.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 4.0.1), RoundcubePlugins (v 2.0.1)

  • Humm, I just checked on my setup and :

    - I can read the mails without issue. I would guess this is due to some kind of permissions issues, check them

    - I did not have the calendar, might be a plugin you installed ? in this case, maybe an update is required (and maybe some permissions to check just in case)

    This is not the best place to troubleshoot those issues, we might continue in another thread or in private (and here is what I got when going to "About" section)

    For when you go in the "SPAM" section, this is probably due to having "sauserprefs" plugin with an outdated version.


    pasted-from-clipboard.png


    Edit: I'm going to guess that you use this : RoundcubePlugins 2.0.2 :)

    It add some plugins to roundcube which are probably not compatible anymore (I guess, I don't use it), so get a list of the plugin you have, and you'll have to setup them manually, untill there is a "real big update" on all those tools and addons :)

    Remember, any i-MSCP update/upgrade/reinstall will remove those manual changes.