phpMyAdmin: Cross-site Scripting -- Remote with User Interaction

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1402
      A number of vulnerabilities have been identified in phpMyAdmin
                              18 August 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           phpMyAdmin
Publisher:         phpMyAdmin
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-5274 CVE-2014-5273 

Original Bulletin: 
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-9.php

Comment: This bulletin contains two (2) phpMyAdmin security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

PMASA-2014-8

Announcement-ID: PMASA-2014-8

Date: 2014-08-17

Summary

Multiple XSS vulnerabilities in browse table, ENUM editor, monitor, query 
charts and table relations pages

Description

With a crafted database, table or a primary/unique key column name it is 
possible to trigger an XSS when dropping a row from the table. With a crafted
column name it is possible to trigger an XSS in the ENUM editor dialog. With a
crafted variable name or a crafted value for unit field it is possible to 
trigger a self-XSS when adding a new chart in the monitor page. With a crafted
value for x-axis label it is possible to trigger a self-XSS in the query chart
page. With a crafted relation name it is possible to trigger an XSS in table 
relations page.

Severity

We consider these vulnerabilities to be non critical.

Mitigation factor

These vulnerabilities can be triggered only by someone who is logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required pages.

Affected Versions

Versions 4.0.x (prior to 4.0.10.2), 4.1.x (prior to 4.1.14.3) and 4.2.x (prior
to 4.2.7.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.2 or newer, or 4.1.14.3 or newer, or 4.2.7.1 or 
newer, or apply the patches listed below.

References

Thanks to Ashutosh Dhundhara for reporting the vulnerability in table 
relations page.

Assigned CVE ids: CVE-2014-5273

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

    647c9d12e33a6b64e1c3ff7487f72696bdf2dccb

    2c45d7caa614afd71dbe3d0f7270f51ce5569614

    cd9f302bf7f91a160fe7080f9a612019ef847f1c

    90ddeecf60fc029608b972e490b735f3a65ed0cb

    3ffc967fb60cf2910cc2f571017e977558c67821

The following commits have been made on the 4.1 branch to fix this issue:

    2d394521197f81dce0d9529b2d86ed24760b5b2a

    1956420ddab0595016ba2b3af89f7f82d39f5afa

    69f746b7dc09f7b1a18b09de0b5cd71f0bcd0a3d

    bbd20b54864a389c7a0cd2c4d4715f00b81a03e9

    5519905a2519d9a102b172432448c7e91d5601a6

The following commits have been made on the 4.0 branch to fix this issue:

    285ed5b8d3bc9279fe6ed01da8151ed66be9b137

    0433d463b6c05ea7b1080995414268fe0a449b00

    3668255202062dd7d60bff70236302084e73fc11

    03b92aa6e923f2b4a54b298cc0042548ff7ba89b

    098caf93b63d4928e4df53310222c8727d0be9fe

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- -------------------------------------------------------------------------------

PMASA-2014-9

Announcement-ID: PMASA-2014-9

Date: 2014-08-17

Summary

XSS in view operations page.

Description

With a crafted view name it is possible to trigger an XSS when dropping the 
view in view operation page.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can be triggered only by someone who is logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required pages.

Affected Versions

Versions 4.1.x (prior to 4.1.14.3) and 4.2.x (prior to 4.2.7.1) are affected.

Solution

Upgrade to phpMyAdmin 4.1.14.3 or newer, or 4.2.7.1 or newer, or apply the 
patch listed below.

References

Assigned CVE ids: CVE-2014-5274

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

    0cd293f5e13aa245e4a57b8d373597cc0e421b6f

The following commits have been made on the 4.1 branch to fix this issue:

    65eef3d65411b985250487e14f1121754a91c6d5

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU/FdxxLndAQH1ShLAQJ9nA/+LJfWp7ewBNpRtNkK3SgisEdhqurM8i6U
epv1gQ1hjdtjH9qzNl0iLQyrDc5Q1v/yMNVGRHDOjnZx9s/B46iEyhtwc9nyg0mF
5i8EUuFr8vl7aUi5ggN1YN9bE1//QiNj8pW71txGD8IQPgeDZpd57zdz4vr/TazN
8H0XXhzRdU1a8cUAnU5+3EqQAS209yqmShb2QwV4FWI2i+8vU8tDcx/uTnukucex
kxFt4/Kw8TTaU58QynNm5BYSw6JvmyppzAjJ33WoRgX/k43u9LnqRy1//uI6NI18
9cjx8jrOgfLZ9a6H1SSuqe53LRDfPIhyYniLK9c+zTNpIXQUc7fkNp5nVr2UWP9X
RFZh6l0GS9IdInTYSdiwTek2MyuFVIXvVUlthxB6CA0h9jb55erQY0IdKrpwX2ih
RlsVkPDgpq7bIUkLi5YHr9/YtEwV1RI/CY8y8XwwH54eHmuzFVrLA6xpFyAphe2S
kPb0bgx4x2sj8U5vZgCCeQFpMAlZkBkf4JeFa4XwsXjWn7FKsJwRMRt1dlNzD4PC
qqmt3+4N/kxpLeG+j3XFvIvlzdGnv30D7tWJbLy6IkgdHJIB5JLjSlnt6U7xYQsC
9CzCXPvk7Dogs9Twtr7QwQFPWqBck95VNmUd8yq3oNiDHTyKKUwnDobWuuC4L8wC
DP+tFQ5yoVk=
=Xu3v
-----END PGP SIGNATURE-----