kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Document the latest batch of phpMyAdmin security advisories. All 14

Browse source 
of them.
This commit is contained in:
Matthew Seaman 2016-11-25 08:16:36 +00:00
parent e0c3427c56
commit 051280a7cc
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=427083
1 changed files with 232 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

232
security/vuxml/vuln.xml
View file

@ -58,6 +58,238 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="6fe72178-b2e3-11e6-8b2a-6805ca0b3d42">
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>phpMyAdmin</name>
<range><ge>4.6.0</ge><lt>4.6.5</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The phpMYAdmin development team reports:</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-57/">
<h3>Summary</h3>
<p>Open redirection</p>
<h3>Description</h3>
<p>A vulnerability was discovered where a user can be
tricked in to following a link leading to phpMyAdmin,
which after authentication redirects to another
malicious site.</p>
<p>The attacker must sniff the user's valid phpMyAdmin
token.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be of moderate
severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-58/">
<h3>Summary</h3>
<p>Unsafe generation of blowfish secret</p>
<h3>Description</h3>
<p>When the user does not specify a blowfish_secret key
for encrypting cookies, phpMyAdmin generates one at
runtime. A vulnerability was reported where the way this
value is created using a weak algorithm.</p>
<p>This could allow an attacker to determine the user's
blowfish_secret and potentially decrypt their
cookies.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be of moderate
severity.</p>
<h3>Mitigation factor</h3>
<p>This vulnerability only affects cookie
authentication and only when a user has not
defined a $cfg['blowfish_secret'] in
their config.inc.php</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-59/">
<h3>Summary</h3>
<p>phpinfo information leak value of sensitive
(HttpOnly) cookies</p>
<h3>Description</h3>
<p>phpinfo (phpinfo.php) shows PHP information
including values of HttpOnly cookies.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be
non-critical.</p>
<h3>Mitigation factor</h3>
<p>phpinfo in disabled by default and needs
to be enabled explicitly.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-60/">
<h3>Summary</h3>
<p>Username deny rules bypass (AllowRoot &amp; Others)
by using Null Byte</p>
<h3>Description</h3>
<p>It is possible to bypass AllowRoot restriction
($cfg['Servers'][$i]['AllowRoot']) and deny rules
for username by using Null Byte in the username.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be
severe.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-61/">
<h3>Summary</h3>
<p>Username rule matching issues</p>
<h3>Description</h3>
<p>A vulnerability in username matching for the
allow/deny rules may result in wrong matches and
detection of the username in the rule due to
non-constant execution time.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be severe.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-62/">
<h3>Summary</h3>
<p>Bypass logout timeout</p>
<h3>Description</h3>
<p>With a crafted request parameter value it is possible
to bypass the logout timeout.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be of moderate
severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-63/">
<h3>Summary</h3>
<p>Multiple full path disclosure vulnerabilities</p>
<h3>Description</h3>
<p>By calling some scripts that are part of phpMyAdmin in an
unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of
the directory where phpMyAdmin is installed. During an
execution timeout in the export functionality, the errors
containing the full path of the directory of phpMyAdmin is
written to the export file.</p>
<h3>Severity</h3>
<p>We consider these vulnerability to be
non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-64/">
<h3>Summary</h3>
<p>Multiple XSS vulnerabilities</p>
<h3>Description</h3>
<p>Several XSS vulnerabilities have been reported, including
an improper fix for <a href="https://www.phpmyadmin.net/security/PMASA-2016-10/">PMASA-2016-10</a> and a weakness in a regular expression
using in some JavaScript processing.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be
non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-65/">
<h3>Summary</h3>
<p>Multiple DOS vulnerabilities</p>
<h3>Description</h3>
<p>With a crafted request parameter value it is possible
to initiate a denial of service attack in saved searches
feature.</p>
<p>With a crafted request parameter value it is possible
to initiate a denial of service attack in import
feature.</p>
<p>An unauthenticated user can execute a denial of
service attack when phpMyAdmin is running with
<code>$cfg['AllowArbitraryServer']=true;</code>.</p>
<h3>Severity</h3>
<p>We consider these vulnerabilities to be of
moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-66/">
<h3>Summary</h3>
<p>Bypass white-list protection for URL redirection</p>
<h3>Description</h3>
<p>Due to the limitation in URL matching, it was
possible to bypass the URL white-list protection.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be of moderate
severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-67/">
<h3>Summary</h3>
<p>BBCode injection vulnerability</p>
<h3>Description</h3>
<p>With a crafted login request it is possible to inject
BBCode in the login page.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be severe.</p>
<h3>Mitigation factor</h3>
<p>This exploit requires phpMyAdmin to be configured
with the "cookie" auth_type; other
authentication methods are not affected.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-68/">
<h3>Summary</h3>
<p>DOS vulnerability in table partitioning</p>
<h3>Description</h3>
<p>With a very large request to table partitioning
function, it is possible to invoke a Denial of Service
(DOS) attack.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be of moderate
severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-69/">
<h3>Summary</h3>
<p>Multiple SQL injection vulnerabilities</p>
<h3>Description</h3>
<p>With a crafted username or a table name, it was possible
to inject SQL statements in the tracking functionality that
would run with the privileges of the control user. This
gives read and write access to the tables of the
configuration storage database, and if the control user has
the necessary privileges, read access to some tables of the
mysql database.</p>
<h3>Severity</h3>
<p>We consider these vulnerabilities to be serious.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-70/">
<h3>Summary</h3>
<p>Incorrect serialized string parsing</p>
<h3>Description</h3>
<p>Due to a bug in serialized string parsing, it was
possible to bypass the protection offered by
PMA_safeUnserialize() function.</p>
<h3>Severity</h3>
<p>We consider this vulnerability to be severe.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-71/">
<h3>Summary</h3>
<p>CSRF token not stripped from the URL</p>
<h3>Description</h3>
<p>When the <code>arg_separator</code> is different from its
default value of <code>&amp;</code>, the token was not
properly stripped from the return URL of the preference
import action.</p>
<h3>Severity</h3>
<p>We have not yet determined a severity for this issue.</p>
</blockquote>
</body>
</description>
<references>
<url>https://www.phpmyadmin.net/security/PMASA-2016-57/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-58/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-59/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-60/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-61/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-62/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-63/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-64/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-65/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-66/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-67/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-68/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-69/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-70/</url>
<url>https://www.phpmyadmin.net/security/PMASA-2016-71/</url>
<cvename>CVE-2016-6632</cvename>
<cvename>CVE-2016-6633</cvename>
<cvename>CVE-2016-4412</cvename>
</references>
<dates>
<discovery>2016-11-25</discovery>
<entry>2016-11-25</entry>
</dates>
</vuln>
<vuln vid="dc596a17-7a9e-11e6-b034-f0def167eeea">
<topic>Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662</topic>
<affects>