Topic: [CONTRIB UPDATE] phpmyadmin-multiuser

[MasterSleepy]

Hello all,

I've update phpmyadmin contribs with lastest version.
Now it use 2.9.0.2 of phpmyadmin.

Rpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=296&ttitle=smeserver-phpmyadmin-multiuser-2.9.0.2-1.noarch.rpm

sRpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=297&ttitle=smeserver-phpmyadmin-multiuser-2.9.0.2-1.src.rpm

Regards.

[william_syd]

Announcement-ID: PMASA-2006-6
Date: 2006-11-01

Summary:
XSS vulnerability

Description:
We received a security advisory from Stefan Esser (sesser@hardened-php.net) and we wish to thank him for his work.

It was possible to produce XSS via a special URL containing UTF-7 codes

Severity:
We consider this vulnerability to be serious.

Affected versions:
2.6.4 to 2.9.0.2.

Solution:
Upgrade to phpMyAdmin 2.9.0.3 or newer.

For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.

[MasterSleepy]

Hello,

Thanks for this info.
rpm have been updated with 2.9.0.3 version of phpmyadmin.

Rpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=296&ttitle=smeserver-phpmyadmin-multiuser-2.9.0.3-1.noarch.rpm

sRpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=297&ttitle=smeserver-phpmyadmin-multiuser-2.9.0.3-1.src.rpm

Regards.

[MasterSleepy]

Hello all,

I've update phpmyadmin-multi contrib to use 2.9.1 version.

Rpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=296&ttitle=smeserver-phpmyadmin-multiuser-2.9.1-1.noarch.rpm

sRpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=297&ttitle=smeserver-phpmyadmin-multiuser-2.9.1-1.src.rpm

Regards.

[Franco]

Path is wrong:
http://www.vhconsult.com/download/sme70/phpmyadmin-multiuser/smeserver-phpmyadmin-multiuser-2.9.1-1.noarch.rpm

[MasterSleepy]

Hello all,

A new version is available, it contains security fix.

Rpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=296&ttitle=smeserver-phpmyadmin-multiuser-2.9.1.1-1.noarch.rpm

sRpm:
http://www.vanhees.cc/modules.php?op=modload&name=CmodsDownload&file=index&req=viewdownloaddetails&lid=297&ttitle=smeserver-phpmyadmin-multiuser-2.9.1.1-1.src.rpm

Regards.

[sandoz]

whats the difference with the non multiuser phpmyadmin?

[william_syd]

phpmyadmin is phpmyadmin.

The difference is the way it's setup to log you in.

Code: [Select]

$cfg['Servers'][$i]['auth_type'] string ['HTTP'|'cookie'|'config']
    Whether config or cookie or HTTP authentication should be used for this server.

        * 'config' authentication ($auth_type = 'config') is the plain old way: username and password are stored in config.inc.php.
        * 'cookie' authentication mode ($auth_type = 'cookie') as introduced in 2.2.3 allows you to log in as any valid MySQL user with the help of cookies. Username and password are stored in cookies during the session and password is deleted when it ends. This can also allow you to log in in arbitrary server if $cfg['AllowArbitraryServer'] enabled.
        * 'HTTP' authentication (was called 'advanced' in older versions) ($auth_type = 'HTTP') as introduced in 1.3.0 allows you to log in as any valid MySQL user via HTTP-Auth.
        * 'signon' authentication mode ($auth_type = 'signon') as introduced in 2.10.0 allows you to log in from prepared PHP session data. This is useful for implementing single signon from another application. Sample way how to seed session is in signon example: scripts/signon.php. You need to configure session name and signon URL to use this authentication method.

    Please see the install section on "Using authentication modes" for more information.

[sandoz]

i must be stupid, but i am not able to change the admin password

when i use the change password field, the password is not changed at all

when i add a 2nd admin, and try to tedelte the first i get
SQL-query:
DROP USER 'admin'@ 'localhost';
#1268 - Can't drop one or more of the requested users

[MasterSleepy]

Hello,

Try the following command as root at command line:

Code: [Select]

 mysql --execute="grant all privileges on *.* to admin@localhost identified by 'admin' WITH GRANT OPTION"
  mysql --execute="flush privileges"
After that command, admin password should be 'admin'.


Regards.

[Teviot]

I have just installed this version on SME 7.  I noticed at the bottom the following message.

Code: [Select]

You have enabled mbstring.func_overload in your PHP configuration. This option is incompatible with phpMyAdmin and might cause some data to be corrupted!

Is this easy to fix and how would i go about it?

[william_syd]

I wouldn't think this contrib is responsible for that.

Look in /etc/php.ini

If it's in there, find out how it got there

/etc/e-smith/templates/etc/php.ini

or

/etc/e-smith/templates-custom/etc/php.ini

and why.

You may also find it in /etc/httpd/conf/httpd.conf but according to the php manual

Note:  It is not recommended to use the function overloading option in the per-directory context, because it's not confirmed yet to be stable enough in a production environment and may lead to undefined behaviour.

[Teviot]

would it be best just to leave it for the moment

[MasterSleepy]

Hello,

You can also edit file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/86PhpmyadminmultiAlias
and add the line

Code: [Select]

php_admin_value mbstring.func_overload 0
at the last section.

Regards.

[william_syd]

Hello,

You can also edit file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/86PhpmyadminmultiAlias
and add the line

Code: [Select]

php_admin_value mbstring.func_overload 0
at the last section.

Regards.

Hello MasterSleepy,

You might have to change the location of your template.
http://forums.contribs.org/index.php?topic=35156.0

Check with

Code: [Select]

/sbin/e-smith/audittools/templates