From 051280a7cc6e4d8c4137d6f8911e5b3a80715331 Mon Sep 17 00:00:00 2001 From: Matthew Seaman Date: Fri, 25 Nov 2016 08:16:36 +0000 Subject: [PATCH] Document the latest batch of phpMyAdmin security advisories. All 14 of them. --- security/vuxml/vuln.xml | 232 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 9c418d69654b..681511bd8011 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,238 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + phpMyAdmin -- multiple vulnerabilities + + + phpMyAdmin + 4.6.04.6.5 + + + + +

The phpMYAdmin development team reports:

+
+

Summary

+

Open redirection

+

Description

+

A vulnerability was discovered where a user can be + tricked in to following a link leading to phpMyAdmin, + which after authentication redirects to another + malicious site.

+

The attacker must sniff the user's valid phpMyAdmin + token.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

Unsafe generation of blowfish secret

+

Description

+

When the user does not specify a blowfish_secret key + for encrypting cookies, phpMyAdmin generates one at + runtime. A vulnerability was reported where the way this + value is created using a weak algorithm.

+

This could allow an attacker to determine the user's + blowfish_secret and potentially decrypt their + cookies.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+

Mitigation factor

+

This vulnerability only affects cookie + authentication and only when a user has not + defined a $cfg['blowfish_secret'] in + their config.inc.php

+
+
+

Summary

+

phpinfo information leak value of sensitive + (HttpOnly) cookies

+

Description

+

phpinfo (phpinfo.php) shows PHP information + including values of HttpOnly cookies.

+

Severity

+

We consider this vulnerability to be + non-critical.

+

Mitigation factor

+

phpinfo in disabled by default and needs + to be enabled explicitly.

+
+
+

Summary

+

Username deny rules bypass (AllowRoot & Others) + by using Null Byte

+

Description

+

It is possible to bypass AllowRoot restriction + ($cfg['Servers'][$i]['AllowRoot']) and deny rules + for username by using Null Byte in the username.

+

Severity

+

We consider this vulnerability to be + severe.

+
+
+

Summary

+

Username rule matching issues

+

Description

+

A vulnerability in username matching for the + allow/deny rules may result in wrong matches and + detection of the username in the rule due to + non-constant execution time.

+

Severity

+

We consider this vulnerability to be severe.

+
+
+

Summary

+

Bypass logout timeout

+

Description

+

With a crafted request parameter value it is possible + to bypass the logout timeout.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

Multiple full path disclosure vulnerabilities

+

Description

+

By calling some scripts that are part of phpMyAdmin in an + unexpected way, it is possible to trigger phpMyAdmin to + display a PHP error message which contains the full path of + the directory where phpMyAdmin is installed. During an + execution timeout in the export functionality, the errors + containing the full path of the directory of phpMyAdmin is + written to the export file.

+

Severity

+

We consider these vulnerability to be + non-critical.

+
+
+

Summary

+

Multiple XSS vulnerabilities

+

Description

+

Several XSS vulnerabilities have been reported, including + an improper fix for PMASA-2016-10 and a weakness in a regular expression + using in some JavaScript processing.

+

Severity

+

We consider this vulnerability to be + non-critical.

+
+
+

Summary

+

Multiple DOS vulnerabilities

+

Description

+

With a crafted request parameter value it is possible + to initiate a denial of service attack in saved searches + feature.

+

With a crafted request parameter value it is possible + to initiate a denial of service attack in import + feature.

+

An unauthenticated user can execute a denial of + service attack when phpMyAdmin is running with + $cfg['AllowArbitraryServer']=true;.

+

Severity

+

We consider these vulnerabilities to be of + moderate severity.

+
+
+

Summary

+

Bypass white-list protection for URL redirection

+

Description

+

Due to the limitation in URL matching, it was + possible to bypass the URL white-list protection.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

BBCode injection vulnerability

+

Description

+

With a crafted login request it is possible to inject + BBCode in the login page.

+

Severity

+

We consider this vulnerability to be severe.

+

Mitigation factor

+

This exploit requires phpMyAdmin to be configured + with the "cookie" auth_type; other + authentication methods are not affected.

+
+
+

Summary

+

DOS vulnerability in table partitioning

+

Description

+

With a very large request to table partitioning + function, it is possible to invoke a Denial of Service + (DOS) attack.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

Multiple SQL injection vulnerabilities

+

Description

+

With a crafted username or a table name, it was possible + to inject SQL statements in the tracking functionality that + would run with the privileges of the control user. This + gives read and write access to the tables of the + configuration storage database, and if the control user has + the necessary privileges, read access to some tables of the + mysql database.

+

Severity

+

We consider these vulnerabilities to be serious.

+
+
+

Summary

+

Incorrect serialized string parsing

+

Description

+

Due to a bug in serialized string parsing, it was + possible to bypass the protection offered by + PMA_safeUnserialize() function.

+

Severity

+

We consider this vulnerability to be severe.

+
+
+

Summary

+

CSRF token not stripped from the URL

+

Description

+

When the arg_separator is different from its + default value of &, the token was not + properly stripped from the return URL of the preference + import action.

+

Severity

+

We have not yet determined a severity for this issue.

+
+ + + + https://www.phpmyadmin.net/security/PMASA-2016-57/ + https://www.phpmyadmin.net/security/PMASA-2016-58/ + https://www.phpmyadmin.net/security/PMASA-2016-59/ + https://www.phpmyadmin.net/security/PMASA-2016-60/ + https://www.phpmyadmin.net/security/PMASA-2016-61/ + https://www.phpmyadmin.net/security/PMASA-2016-62/ + https://www.phpmyadmin.net/security/PMASA-2016-63/ + https://www.phpmyadmin.net/security/PMASA-2016-64/ + https://www.phpmyadmin.net/security/PMASA-2016-65/ + https://www.phpmyadmin.net/security/PMASA-2016-66/ + https://www.phpmyadmin.net/security/PMASA-2016-67/ + https://www.phpmyadmin.net/security/PMASA-2016-68/ + https://www.phpmyadmin.net/security/PMASA-2016-69/ + https://www.phpmyadmin.net/security/PMASA-2016-70/ + https://www.phpmyadmin.net/security/PMASA-2016-71/ + CVE-2016-6632 + CVE-2016-6633 + CVE-2016-4412 + + + 2016-11-25 + 2016-11-25 + + + Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662