Operating System:

[WIN][UNIX/Linux]

Published:

23 June 2014

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2014.1014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1014
          Two vulnerabilities have been identified in phpMyAdmin
                               23 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           phpMyAdmin
Publisher:         phpMyAdmin
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4349 CVE-2014-4348 

Original Bulletin: 
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php

Comment: This bulletin contains two (2) phpMyAdmin security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

PMASA-2014-2

Announcement-ID: PMASA-2014-2

Date: 2014-06-20

Summary

Self-XSS due to unescaped HTML output in recent/favorite tables navigation.

Description

When marking a crafted database or table name as favorite or having it in 
recent tables, it is possible to trigger an XSS.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can be triggered only by someone who logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required form.

Affected Versions

All versions since 4.2.0 and prior to 4.2.4 are affected.

Solution

Upgrade to phpMyAdmin 4.2.4 or newer, or apply the patch listed below.

References

Thanks to Madhura Jayaratne and Chirayu Chiripal for reporting this 
vulnerability.

Assigned CVE ids: CVE-2014-4348

CWE ids: CWE-661 CWE-79 Patches

The following commits have been made to fix this issue:

    cb7c703c03f656debcea2a16468bd53660fc888e 
d18a2dd9faad7e0e96df799b59e16ef587afb838

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---------------------------------------------------------------------------------

PMASA-2014-3

Announcement-ID: PMASA-2014-3

Date: 2014-06-20

Summary

Self-XSS due to unescaped HTML output in navigation items hiding feature.

Description

When hiding or unhiding a crafted table name in the navigation, it is possible
to trigger an XSS.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can be triggered only by someone who logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required form.

Affected Versions

Versions 4.1.x (prior to 4.1.14.1) and 4.2.x (prior to 4.2.4) are affected.

Solution

Upgrade to phpMyAdmin 4.1.14.1 or newer, or 4.2.4 or newer, or apply the patch
listed below.

References

Thanks to Chirayu Chiripal for reporting this vulnerability.

Assigned CVE ids: CVE-2014-4349

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

    d4f754c937f9e2c0beadff5b2e38215dde1d6a79

The following commits have been made on the 4.1 branch to fix this issue:

    daa98d0c7ed24b529dc5df0d5905873acd0b00be

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU6d9mBLndAQH1ShLAQLqQA/6AqbUTuUAvmtVWg5pLsJpOKNDwP7Ly7ox
rMzZks3NQNdD1fELuevx/5lCdkQi97IiFFhAqqA2WVVflU3g45CN+q1e23KYCElG
X/heJmuag4qOu7sD7WcZjWl0FPsRKcwudpSKbGLbQx3rfzHHOyRZ5J12hyPCcVrN
LmI7XkxbSMizGnWJo6YZQJwlr3omgean4MtVGJd4Fo/eQJd3C1QIHd4cUVIZjZtV
0c5BnSRa8lViTBAZhYL86qpF7RkDiAFwHdeyiaMYo7ybrECg2dDvAeRGXW9tBD5m
pz4ZKeTmmAxHxSzEXMLbxW21wjDQF+HahloH9R/5cahNXRVTkJ05Lrc6T6Z/pq9u
Kfp+g0X5mKYFTrftQuQpinCGJIXROZcjoenrHX5cqr3uvTGXSpcj/QHhJVTI/pU2
wGn5+Q7YuX6jJnSkJpdSvqnouVhCfC2Ol0487Z6rg1EHCdhNzI5zR91r0MlADjOC
gylrIL9evC1CglG+RFU7Nsqh0oEMx2XTCn8Oh7hHdMIVMmdSgDQtEQZ/oAmBM0FO
X2qJeaHRYV20SOePW1sQdL1OQO8G5Wc3YreVKFr2XglY6HiuggQWrQYwojOLCBoz
7vkbkVQkwf+xQ55jQuamXksESBgiF4AH7ejfAPMkfDY8V1Ar6ObwRbJx0k+AZ80t
Uz6dibwWZd0=
=zRmt
-----END PGP SIGNATURE-----