Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.0228
A number of vulnerabilities have been identified in phpMyAdmin
29 January 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: phpMyAdmin
Publisher: phpMyAdmin
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-2045 CVE-2016-2044 CVE-2016-2043
CVE-2016-2042 CVE-2016-2041 CVE-2016-2040
CVE-2016-2039 CVE-2016-2038 CVE-2016-1927
Original Bulletin:
https://www.phpmyadmin.net/security/PMASA-2016-1/
https://www.phpmyadmin.net/security/PMASA-2016-2/
https://www.phpmyadmin.net/security/PMASA-2016-3/
https://www.phpmyadmin.net/security/PMASA-2016-4/
https://www.phpmyadmin.net/security/PMASA-2016-5/
https://www.phpmyadmin.net/security/PMASA-2016-6/
https://www.phpmyadmin.net/security/PMASA-2016-7/
https://www.phpmyadmin.net/security/PMASA-2016-8/
https://www.phpmyadmin.net/security/PMASA-2016-9/
Comment: This bulletin contains nine (9) phpMyAdmin security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
PMASA-2016-1
Announcement-ID: PMASA-2016-1
Date: 2016-01-23
Summary
Multiple full path disclosure vulnerabilities.
Description
By calling some scripts that are part of phpMyAdmin in an unexpected way, it
is possible to trigger phpMyAdmin to display a PHP error message which
contains the full path of the directory where phpMyAdmin is installed.
Severity
We consider these vulnerabilities to be non-critical.
Mitigation factor
This path disclosure is possible on servers where the recommended setting of
the PHP configuration directive display_errors is set to on, which is against
the recommendations given in the PHP manual for a production server.
Affected Versions
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or
apply patch listed below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2038
CWE ids: CWE-661 CWE-200
Patches
The following commits have been made on the 4.0 branch to fix this issue:
ac81596bfcf0b3cae9f6bc821efa4aa1c7f0c81d
8023340a259ecae6a3bd9268f4e39d097bdf0146
215f4a8ebe717ba646be00fca8519cf768a902f5
7056ca9458d26b24a6b1d9255073237c1636ca33
25738352df8057b542eeac3237eb6fd1d3ba4289
5b79467245b6e0a476775e2958b42088794f8e02
The following commits have been made on the 4.4 branch to fix this issue:
b39c02b0a82b13d2198276d228051139e6b838d9
470cd68344e86915679356dcc2cdb88c63a1d91d
b95360334d69b032b58cafb7d29db6670e9c7224
d63a8ab7e028925707902266fc989760118a4c72
879a14ad165b475ec58ceab33687d7cc5913a63b
d0a9baef3728a37120d53dc0a96abf04ace139da
The following commits have been made on the 4.5 branch to fix this issue:
5aee5035646c4fc617564cb0d3d58c0435d64d81
85ccdbb5b9c6c7a9830e5cb468662837a59a7aa3
447c88f4884fe30a25d38c331c31d820a19f8c93
f83b52737e321005959497d8e8f59f8aaedc9048
76b10187c38634a29d6780f99f6dcd796191073b
d4b9c22c1f8465bda5b6a83dc7e2cf59c3fe44e1
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- ----------------------------------------------------------------------------
PMASA-2016-2
Announcement-ID: PMASA-2016-2
Date: 2016-01-24
Summary
Unsafe generation of XSRF/CSRF token.
Description
The XSRF/CSRF token is generated with a weak algorithm using functions that do
not return cryptographically secure values.
Severity
We consider this vulnerability to be non-critical.
Affected Versions
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or
apply patch listed below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.
Assigned CVE ids: CVE-2016-2039
CWE ids: CWE-661 CWE-338
Patches
The following commits have been made on the 4.0 branch to fix this issue:
6fe54dfa000dd6f43f237e859781fad7111ac1bd
The following commits have been made on the 4.4 branch to fix this issue:
91638c04d1f2c3977560a5b9db3ac3879a38691b
13384f7f47dadb02cfe950af0413c7d3e136df8e
The following commits have been made on the 4.5 branch to fix this issue:
f20970d32c3dfdf82aef7b6c244da1f769043813
cb7748ac9cffcd1cd0f3081499cd4aafa9d1065e
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- ----------------------------------------------------------------------------
PMASA-2016-3
Announcement-ID: PMASA-2016-3
Date: 2016-01-24
Summary
Multiple XSS vulnerabilities.
Description
With a crafted table name it is possible to trigger an XSS attack in the
database search page.
With a crafted SET value or a crafted search query, it is possible to trigger
an XSS attacks in the zoom search page.
With a crafted hostname header, it is possible to trigger an XSS attacks in
the home page.
Severity
We consider these vulnerabilities to be non-critical.
Mitigation factor
These vulnerabilities can be triggered only by someone who is logged in to
phpMyAdmin, as the usual token protection prevents non-logged-in users from
accessing the required pages.
Affected Versions
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or
apply patch listed below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2040
CWE ids: CWE-661 CWE-79
Patches
The following commits have been made on the 4.0 branch to fix this issue:
9f3488fc3ab6b83618dbb4bebbea4b973764e2ac
0ce4fd2750491a54d27f94cc1403f9da21738aa6
27eb98faedcdcd0b856577fcbdfe3e87b2445345
The following commits have been made on the 4.4 branch to fix this issue:
2b3f915f72bfe7eb9ae60a69582f041ddc55f663
75de41635d387e1c3c8d71a746241502a90c8422
1414d60cbfe01a2d08ab9d5e6a7178a6323fca68
The following commits have been made on the 4.5 branch to fix this issue:
75a55824012406a08c4debf5ddb7ae41c32a7dbc
edffb52884b09562490081c3b8666ef46c296418
aca42efa01917cc0fe8cfdb2927a6399ca1742f2
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- ------------------------------------------------------------------------------
PMASA-2016-4
Announcement-ID: PMASA-2016-4
Date: 2016-01-24
Summary
Insecure password generation in JavaScript.
Description
Password suggestion functionality uses Math.random() which does not provide
cryptographically secure random numbers.
Severity
We consider this vulnerability to be non-critical.
Affected Versions
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or
apply patch listed below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.
Assigned CVE ids: CVE-2016-1927
CWE ids: CWE-661 CWE-338
Patches
The following commits have been made on the 4.0 branch to fix this issue:
6a96e67487f2faecb4de4204fee9b96b94020720
2369daa7f5f550797f560e6b46a021e4558c2d72
The following commits have been made on the 4.4 branch to fix this issue:
8b6737735be5787d0b98c6cdfe2c7e3131b1bc95
5530a72e162fab442218486a90ff3365c96fde98
The following commits have been made on the 4.5 branch to fix this issue:
8dedcc1a175eb07debd4fe116407c43694c60b22
912856b432d794201884c36e5f390d446339b6e4
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- -------------------------------------------------------------------------
PMASA-2016-5
Announcement-ID: PMASA-2016-5
Date: 2016-01-24
Summary
Unsafe comparison of XSRF/CSRF token.
Description
The comparison of the XSRF/CSRF token parameter with the value saved in the
session is vulnerable to timing attacks. Moreover, the comparison could be
bypassed if the XSRF/CSRF token matches a particular pattern.
Severity
We consider this vulnerability to be serious.
Affected Versions
Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x
(prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or
apply patch listed below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.
Assigned CVE ids: CVE-2016-2041
CWE ids: CWE-661 CWE-208
Patches
The following commits have been made on the 4.0 branch to fix this issue:
fe62b69a5b032de8e1d9d0a04456c1cecf46428c
The following commits have been made on the 4.4 branch to fix this issue:
3303b3d6c304d71da4a7d242307bf449aaa955c5
The following commits have been made on the 4.5 branch to fix this issue:
ec0e88e37ef30a66eada1c072953f4ec385a3e49
The following commits have been made to fix this issue:
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- ---------------------------------------------------------------------------
PMASA-2016-6
Announcement-ID: PMASA-2016-6
Date: 2016-01-24
Summary
Multiple full path disclosure vulnerabilities.
Description
By calling some scripts that are part of phpMyAdmin in an unexpected way, it
is possible to trigger phpMyAdmin to display a PHP error message which
contains the full path of the directory where phpMyAdmin is installed.
Severity
We consider these vulnerabilities to be non-critical.
Mitigation factor
This path disclosure is possible on servers where the recommended setting of
the PHP configuration directive display_errors is set to on, which is against
the recommendations given in the PHP manual for a production server.
Affected Versions
Versions 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed
below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2042
CWE ids: CWE-661 CWE-200
Patches
The following commits have been made on the 4.4 branch to fix this issue:
3b96f3600651163b8c1d9b6ff7ebd0b142412993
The following commits have been made on the 4.5 branch to fix this issue:
5a3de108f26e4b0dddadddbe8ccdb1dd5526771f
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- ----------------------------------------------------------------------------
PMASA-2016-7
Announcement-ID: PMASA-2016-7
Date: 2016-01-24
Summary
XSS vulnerability in normalization page.
Description
With a crafted table name it is possible to trigger an XSS attack in the
database normalization page.
Severity
We consider this vulnerability to be non-critical.
Mitigation factor
This vulnerability can be triggered only by someone who is logged in to
phpMyAdmin, as the usual token protection prevents non-logged-in users from
accessing the required page.
Affected Versions
Versions 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed
below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.
Assigned CVE ids: CVE-2016-2043
CWE ids: CWE-661 CWE-79
Patches
The following commits have been made on the 4.4 branch to fix this issue:
8f86713de6163ccd0f8bd9987251a9d17feaee18
The following commits have been made on the 4.5 branch to fix this issue:
019c4f25d500ec5db9ba3b84cc961a7e4e850738
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- -------------------------------------------------------------------------
PMASA-2016-8
Announcement-ID: PMASA-2016-8
Date: 2016-01-24
Summary
Full path disclosure vulnerability in SQL parser.
Description
By calling a particular script that is part of phpMyAdmin in an unexpected
way, it is possible to trigger phpMyAdmin to display a PHP error message which
contains the full path of the directory where phpMyAdmin is installed.
Severity
We consider this vulnerability to be non-critical.
Mitigation factor
This path disclosure is possible on servers where the recommended setting of
the PHP configuration directive display_errors is set to on, which is against
the recommendations given in the PHP manual for a production server.
Affected Versions
Versions 4.5.x (prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2044
CWE ids: CWE-661 CWE-200
Patches
The following commits have been made on the 4.5 branch to fix this issue:
c57d3cc7b97b5f32801032f7bb222297aa97dfea
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- ----------------------------------------------------------------------------
PMASA-2016-9
Announcement-ID: PMASA-2016-9
Date: 2016-01-24
Summary
XSS vulnerability in SQL editor.
Description
With a crafted SQL query, it is possible to trigger an XSS attack in the SQL
editor.
Severity
We consider this vulnerability to be non-critical.
Mitigation factor
This vulnerability can be triggered only by someone who is logged in to
phpMyAdmin, as the usual token protection prevents non-logged-in users from
accessing the required pages.
Affected Versions
Versions 4.5.x (prior to 4.5.4) are affected.
Solution
Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below.
References
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2045
CWE ids: CWE-661 CWE-79
Patches
The following commits have been made on the 4.5 branch to fix this issue:
0a24f92d081033576bfdd9d4bdec1a54501734c1
11496890d7e21786cbfd9fd17ab968f498116b3f
More information
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVqq0AX6ZAP0PgtI9AQJMtA/8C+7leRubKgQxVEGx+RR63lb3d4fka2aO
Sv3U8wh1CO1gj7PQVhhHPDP9455DfeptqFJX7uKbB19hleOscZbuDf7Zw9pTYfeY
M1m7r9eb2TmT+S+YkBCsvQt3mvNOKP8B9UUp8nnub8JNmJ6wuZeP1kyKgYACPbKo
ie/I+EBfzicWQ55nXnWK2wDdAEoIiKgCSet0GDkh/BemNxTdJkwPecVppWRycAVl
/j5gR3qxt63CBPtetX8qnOpQkVxU5yjhhl2wCp46Csdi8cNQ7AYdaWDfb7C7zey7
0GPwqFcPkcBb20rAQBI6errEXgKmtEVzar9pbAM6dV9loHJdTCDES1H5abEvRpFo
2LDGg1ofdzQ2Ckv3wShZbtO/oH5YBSAMOQzQQxybYiSdGheJsBI71YtEvDELI4KE
TiZaHUFa4VvSKskjp3X2w08WP1yN19oForIpHhn8J9DFXmuKe3h837anxOl7y5ts
VHD72BtIAPpkJJQscixw0eaATtip8zlfUpDChJlsQEKfrNWnneS5XCDsZ7Bc/lg/
rY/D/+yW9U1yJUy/A/jm5H4at1E8xjjz6q/f+Wh2fBkq1dlA6c5UhqQs5dMj6B3Z
G9/FHNEyIPaB/zYLTTBpEFC4SAq5SMniXUZnAvWbUgQ4Pl0SBrxd8iC/HSESqD/B
cVKp8cxvoug=
=a72M
-----END PGP SIGNATURE-----