Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1025
A number of vulnerabilities have been identified in phpMyAdmin
29 July 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: phpMyAdmin
Publisher: phpMyAdmin
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php
Comment: This bulletin contains seven (7) phpMyAdmin security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
PMASA-2013-8
Announcement-ID: PMASA-2013-8
Date: 2013-07-28
Summary
XSS due to unescaped HTML Output when executing a SQL query.
Description
Using a crafted SQL query, it was possible to produce an XSS on the SQL query
form.
Severity
We consider these vulnerabilities to be non critical.
Mitigation factor
This vulnerability can be triggered only by someone who logged in to phpMyAdmin,
as the usual token protection prevents non-logged-in users from accessing the
required form.
Affected Versions
Versions 3.5.x (prior to 3.5.8.2) and 4.0.x (prior to 4.0.4.2) are affected.
Solution
Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 or newer or apply the patches listed
below.
References
Thanks to Michal Bentkowski for reporting this issue.
CWE ids: CWE-661 CWE-79
Patches
The following commits have been made to fix this issue:
56e9ede5223219cef2187ced385924ef2e0ae21d
The following commits have been made on the 3.5 branch to fix this issue:
51f343b91908d1b1bacaebe6db87c3d7aa522581
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- ------------------------------------------------------------------------------
PMASA-2013-9
Announcement-ID: PMASA-2013-9
Date: 2013-07-28
Summary
5 XSS vulnerabilities in setup, chart display, process list, and logo link.
Description
In the setup/index.php, using a crafted # hash with a Javascript event,
untrusted JS code could be executed.
In the Display chart view, a chart title containing HTML code was rendered
unescaped, leading to possible JavaScript code execution via events.
A malicious user with permission to create databases or users having HTML
tags in their name, could trigger an XSS vulnerability by issuing a sleep
query with a long delay. In the server status monitor, the query parameters
were shown unescaped.
By configuring a malicious URL for the phpMyAdmin logo link in the
navigation sidebar, untrusted script code could be executed when a user
clicked the logo.
The setup field for "List of trusted proxies for IP allow/deny" Ajax
validation code returned the unescaped input on errors, leading to possible
JavaScript execution by entering arbitrary HTML.
Severity
We consider these vulnerabilities to be non critical.
Mitigation factor
The stored XSS vulnerabilities can be triggered only by someone who logged in
to phpMyAdmin, as the usual token protection prevents non-logged-in users from
accessing the required forms. The setup vulnerabilities can only be triggered
when a crafted value is entered by the user.
Affected Versions
Versions 3.5.x (prior to 3.5.8.2) and 4.0.x (prior to 4.0.4.2) are affected.
Solution
Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 or newer or apply the patches listed
below.
References
Thanks to Emanuel Bronshtein for reporting these issues.
CWE ids: CWE-661 CWE-79 CWE-80
Patches
The following commits have been made to fix this issue:
2005c4b7c15afa61a41e1087464fe12645f535e1
d096a0fc46ef4708f3f4a440a8aba40163e3b72a
e0d8568ac681073b09f10ad1c4d801df36290036
The following commits have been made on the 3.5 branch to fix this issue:
299c481a58386a846884720d90682ad4079edf3a
7f9d762e89157144fbcc01167a3141e39ac25da1
6f003b0ccb1293e5ff5be41bd25582485f480743
7c58ed002f570c3793df0a77a625d3177ee9a12e
845dae144f4ed665a14bf4912046d5d3d220ef96
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- ------------------------------------------------------------------------------
PMASA-2013-11
Announcement-ID: PMASA-2013-11
Date: 2013-07-28
Summary
If a crafted version.json would be presented, an XSS could be introduced.
Description
Due to not properly validating the version.json file, which is fetched from
the phpMyAdmin.net website, could lead to an XSS attack, if a crafted
version.json file would be presented.
Severity
We consider this vulnerability serious.
Mitigation factor
This vulnerability can only be exploited with a combination of complicated
techniques and tricking the user to visit a page.
Affected Versions
Versions 3.5.x (prior to 3.5.8.2) and 4.0.x (prior to 4.0.4.2) are affected.
Solution
Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 or newer or apply the patches listed
below.
References
Thanks to Emanuel Bronshtein for reporting these issues.
CWE ids: CWE-300 CWE-79
Patches
The following commits have been made to fix this issue:
b9c814ed6d59733c54965e01e90ffd5d3348fd2c
The following commits have been made on the 3.5 branch to fix this issue:
333d82d3271b2a1b445134bb6bbb15ae8c9ba8a6
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- ------------------------------------------------------------------------------
PMASA-2013-12
Announcement-ID: PMASA-2013-12
Date: 2013-07-28
Summary
Full path disclosure vulnerabilities.
Description
By calling some scripts that are part of phpMyAdmin in an unexpected way, it
is possible to trigger phpMyAdmin to display a PHP error message which
contains the full path of the directory where phpMyAdmin is installed.
Severity
We consider these vulnerabilities to be non critical.
Mitigation factor
This path disclosure is possible on servers where the recommended setting of
the PHP configuration directive display_errors is set to on, which is against
the recommendations given in the PHP manual.
Affected Versions
Versions 3.5.x (prior to 3.5.8.2) and 4.0.x (prior to 4.0.4.2) are affected.
Solution
Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 or newer or apply the patches listed
below.
References
Thanks to Emanuel Bronshtein for reporting these issues.
CWE ids: CWE-661 CWE-200
Patches
The following commits have been made to fix this issue:
0fea53b7b82134ce0e1979a71b7ce080b5b6ff9a
8e4fe7c57a976f2ce9a6931687f4697d519111ec
7992beb8e42f2a4a3dab275b119d1ebd58e3b164
142e465c80a1fb3d71e214d29c566c15a416518d
The following commits have been made on the 3.5 branch to fix this issue:
142e465c80a1fb3d71e214d29c566c15a416518d
63848b24389dfabda8306112e20742b3ff7b8b12
4cc91616057d7517df306fe27b291c9639493d88
5d49c44fb862bfdfb8205ff15e8469cfb1b1c5d9
2f93578e20fd422f922183254dd50318d03a3e24
8559162ebc8ce822fa01ac429a6aab08cfa4ceda
1c1e3dca2b0cdfe10615f51a73b7d00718ad8d4b
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- ------------------------------------------------------------------------------
PMASA-2013-13
Announcement-ID: PMASA-2013-13
Date: 2013-07-28
Summary
XSS vulnerability when a text to link transformation is used.
Description
When the TextLinkTransformationPlugin is used to create a link to an object
when displaying the contents of a table, the object name is not properly
escaped, which could lead to an XSS, if the object name has a crafted value.
Severity
We consider this vulnerability to be non critical.
Mitigation factor
The stored XSS vulnerabilities can be triggered only by someone who logged
in to phpMyAdmin, as the usual token protection prevents non-logged-in users
from accessing the required forms.
Affected Versions
Versions 4.0.x (prior to 4.0.4.2) are affected.
Solution
Upgrade to phpMyAdmin 4.0.4.2 or newer or apply the patches listed below.
References
Thanks to Dieter Adriaenssens for reporting this issue.
CWE ids: CWE-661 CWE-79 CWE-80
Patches
The following commits have been made to fix this issue:
e0c8704f725c56c87b644676ded94dba695de39f
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- ------------------------------------------------------------------------------
PMASA-2013-14
Announcement-ID: PMASA-2013-14
Date: 2013-07-28
Summary
Self-XSS due to unescaped HTML output in schema export.
Description
When calling schema_export.php with crafted parameters, it is possible to
trigger an XSS.
Severity
We consider this vulnerability to be non critical.
Mitigation factor
This vulnerability can be triggered only by someone who logged in to
phpMyAdmin, as the usual token protection prevents non-logged-in users from
accessing the required form.
Affected Versions
Versions 3.5.x (prior to 3.5.8.2) and 4.0.x (prior to 4.0.4.2) are affected.
Solution
Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 or newer, or apply the patch listed
below.
References
Thanks to Noam Rathaus for reporting this issue.
CWE ids: CWE-661 CWE-79
Patches
The following commits have been made to fix this issue:
1293e9b6e9eb7a831c5738f346ea44dee6d1bf0f
The following commits have been made on the 3.5 branch to fix this issue:
dede065d7ad59fb7c31ae384961564b7f7a7c005
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- ------------------------------------------------------------------------------
PMASA-2013-15
Announcement-ID: PMASA-2013-15
Date: 2013-07-28
Summary
SQL injection vulnerabilities, producing a privilege escalation (control
user).
Description
Due to a missing validation of parameters passed to schema_export.php and
pmd_pdf.php, it was possible to inject SQL statements that would run with
the privileges of the control user. This gives read and write access to the
tables of the configuration storage database, and if the control user has
the necessary privileges, read access to some tables of the mysql database.
Severity
We consider these vulnerabilities to be serious.
Mitigation factor
These vulnerabilities can be triggered only by someone who logged in to
phpMyAdmin, as the usual token protection prevents non-logged-in users
from accessing the required form. Moreover, a control user must have been
created and configured as part of the phpMyAdmin configuration storage
installation.
Affected Versions
Versions 3.5.x (prior to 3.5.8.2) and 4.0.x (prior to 4.0.4.2) are affected.
Solution
Upgrade to phpMyAdmin 3.5.8.2 or 4.0.4.2 or apply the patches below.
References
We wish to thank Noam Rathaus for informing us in a responsible manner.
CWE ids: CWE-661 CWE-89 CWE-269
Patches
The following commits have been made to fix this issue:
974d0dedeea7c79ac4533e614d9c0c3abd97e8f9
8ef025ef3d05c164654fee7001517626cf604bb1
The following commits have been made on the 3.5 branch to fix this issue:
4cbeef599cda87c6d2b1d7ef5542fe1ff316f706
20f71e767bcd037178cb5455543071323bc7ffd9
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUfYFKBLndAQH1ShLAQKtRg/+LWaa9fhzl1cLCJ0VG5SE6Ucb0uxHQqQN
Wan2wUzmwUqGQTv5dtIsy0XjWzHVnwbUHAc3KwZexjaWKHPcfCWcz2quxaeDMwh0
o3dKWai9GR+SDKJMtOue0/GM6Y7L7VEb/VEWiXmp04m8w9U+pU76BkPd/EvQ1TEl
tViTaNPNVD1xo4+pyVehcLaBrwUerIYsyLWexLCzlb4mzXsxerV/GfRbHzSYEIkn
so2+EWIGkUlP3idgrHvuH6TPoN1Z/x9ts/3Jp0kHQeSM5aWgapV3FfFymnD6Ru/A
6gWro617HjSgOjnC/SPBaTKUTYWjKB1SjjligeVWi7ZLNmTbHIK7EkHL5JcU260F
TupnRXs1EseTfY3R6RbZJqhFwLniJHu5bT1Nc0JwWZMJmHBpS3C4pMnV6Wnwm6YI
RrJbSSqbHqJdnHkuEw10G3O8TYvEM/nl/Kj+cT7aFq3IJ8LPcfp+mt79ZZcj5V0B
KwhQyg5dc1ujmN27q3/ljYIEHnC3S7zOn0VEg9nfgGx5m/+z+XMt2X9l6TkS9LVI
jWQGs2is2ckyOEDbui08hV4jWU5wGsa+a1ylO6TZ/3seA3IpSWSJiBLybpoC0etv
FXqFNgeYw4rKHBlFCm+ZOwiZ86/GEk4OO8WKoTqJv+cklHIPLiGjcWLwFe/kehFY
JduM082g68M=
=jBfV
-----END PGP SIGNATURE-----