Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0228 A number of vulnerabilities have been identified in phpMyAdmin 29 January 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: phpMyAdmin Publisher: phpMyAdmin Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2045 CVE-2016-2044 CVE-2016-2043 CVE-2016-2042 CVE-2016-2041 CVE-2016-2040 CVE-2016-2039 CVE-2016-2038 CVE-2016-1927 Original Bulletin: https://www.phpmyadmin.net/security/PMASA-2016-1/ https://www.phpmyadmin.net/security/PMASA-2016-2/ https://www.phpmyadmin.net/security/PMASA-2016-3/ https://www.phpmyadmin.net/security/PMASA-2016-4/ https://www.phpmyadmin.net/security/PMASA-2016-5/ https://www.phpmyadmin.net/security/PMASA-2016-6/ https://www.phpmyadmin.net/security/PMASA-2016-7/ https://www.phpmyadmin.net/security/PMASA-2016-8/ https://www.phpmyadmin.net/security/PMASA-2016-9/ Comment: This bulletin contains nine (9) phpMyAdmin security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- PMASA-2016-1 Announcement-ID: PMASA-2016-1 Date: 2016-01-23 Summary Multiple full path disclosure vulnerabilities. Description By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. Severity We consider these vulnerabilities to be non-critical. Mitigation factor This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server. Affected Versions Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-2038 CWE ids: CWE-661 CWE-200 Patches The following commits have been made on the 4.0 branch to fix this issue: ac81596bfcf0b3cae9f6bc821efa4aa1c7f0c81d 8023340a259ecae6a3bd9268f4e39d097bdf0146 215f4a8ebe717ba646be00fca8519cf768a902f5 7056ca9458d26b24a6b1d9255073237c1636ca33 25738352df8057b542eeac3237eb6fd1d3ba4289 5b79467245b6e0a476775e2958b42088794f8e02 The following commits have been made on the 4.4 branch to fix this issue: b39c02b0a82b13d2198276d228051139e6b838d9 470cd68344e86915679356dcc2cdb88c63a1d91d b95360334d69b032b58cafb7d29db6670e9c7224 d63a8ab7e028925707902266fc989760118a4c72 879a14ad165b475ec58ceab33687d7cc5913a63b d0a9baef3728a37120d53dc0a96abf04ace139da The following commits have been made on the 4.5 branch to fix this issue: 5aee5035646c4fc617564cb0d3d58c0435d64d81 85ccdbb5b9c6c7a9830e5cb468662837a59a7aa3 447c88f4884fe30a25d38c331c31d820a19f8c93 f83b52737e321005959497d8e8f59f8aaedc9048 76b10187c38634a29d6780f99f6dcd796191073b d4b9c22c1f8465bda5b6a83dc7e2cf59c3fe44e1 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - ---------------------------------------------------------------------------- PMASA-2016-2 Announcement-ID: PMASA-2016-2 Date: 2016-01-24 Summary Unsafe generation of XSRF/CSRF token. Description The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values. Severity We consider this vulnerability to be non-critical. Affected Versions Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: CVE-2016-2039 CWE ids: CWE-661 CWE-338 Patches The following commits have been made on the 4.0 branch to fix this issue: 6fe54dfa000dd6f43f237e859781fad7111ac1bd The following commits have been made on the 4.4 branch to fix this issue: 91638c04d1f2c3977560a5b9db3ac3879a38691b 13384f7f47dadb02cfe950af0413c7d3e136df8e The following commits have been made on the 4.5 branch to fix this issue: f20970d32c3dfdf82aef7b6c244da1f769043813 cb7748ac9cffcd1cd0f3081499cd4aafa9d1065e More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - ---------------------------------------------------------------------------- PMASA-2016-3 Announcement-ID: PMASA-2016-3 Date: 2016-01-24 Summary Multiple XSS vulnerabilities. Description With a crafted table name it is possible to trigger an XSS attack in the database search page. With a crafted SET value or a crafted search query, it is possible to trigger an XSS attacks in the zoom search page. With a crafted hostname header, it is possible to trigger an XSS attacks in the home page. Severity We consider these vulnerabilities to be non-critical. Mitigation factor These vulnerabilities can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages. Affected Versions Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-2040 CWE ids: CWE-661 CWE-79 Patches The following commits have been made on the 4.0 branch to fix this issue: 9f3488fc3ab6b83618dbb4bebbea4b973764e2ac 0ce4fd2750491a54d27f94cc1403f9da21738aa6 27eb98faedcdcd0b856577fcbdfe3e87b2445345 The following commits have been made on the 4.4 branch to fix this issue: 2b3f915f72bfe7eb9ae60a69582f041ddc55f663 75de41635d387e1c3c8d71a746241502a90c8422 1414d60cbfe01a2d08ab9d5e6a7178a6323fca68 The following commits have been made on the 4.5 branch to fix this issue: 75a55824012406a08c4debf5ddb7ae41c32a7dbc edffb52884b09562490081c3b8666ef46c296418 aca42efa01917cc0fe8cfdb2927a6399ca1742f2 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - ------------------------------------------------------------------------------ PMASA-2016-4 Announcement-ID: PMASA-2016-4 Date: 2016-01-24 Summary Insecure password generation in JavaScript. Description Password suggestion functionality uses Math.random() which does not provide cryptographically secure random numbers. Severity We consider this vulnerability to be non-critical. Affected Versions Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: CVE-2016-1927 CWE ids: CWE-661 CWE-338 Patches The following commits have been made on the 4.0 branch to fix this issue: 6a96e67487f2faecb4de4204fee9b96b94020720 2369daa7f5f550797f560e6b46a021e4558c2d72 The following commits have been made on the 4.4 branch to fix this issue: 8b6737735be5787d0b98c6cdfe2c7e3131b1bc95 5530a72e162fab442218486a90ff3365c96fde98 The following commits have been made on the 4.5 branch to fix this issue: 8dedcc1a175eb07debd4fe116407c43694c60b22 912856b432d794201884c36e5f390d446339b6e4 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - ------------------------------------------------------------------------- PMASA-2016-5 Announcement-ID: PMASA-2016-5 Date: 2016-01-24 Summary Unsafe comparison of XSRF/CSRF token. Description The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern. Severity We consider this vulnerability to be serious. Affected Versions Versions 4.0.x (prior to 4.0.10.13), 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.0.10.13 or newer, 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: CVE-2016-2041 CWE ids: CWE-661 CWE-208 Patches The following commits have been made on the 4.0 branch to fix this issue: fe62b69a5b032de8e1d9d0a04456c1cecf46428c The following commits have been made on the 4.4 branch to fix this issue: 3303b3d6c304d71da4a7d242307bf449aaa955c5 The following commits have been made on the 4.5 branch to fix this issue: ec0e88e37ef30a66eada1c072953f4ec385a3e49 The following commits have been made to fix this issue: More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --------------------------------------------------------------------------- PMASA-2016-6 Announcement-ID: PMASA-2016-6 Date: 2016-01-24 Summary Multiple full path disclosure vulnerabilities. Description By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. Severity We consider these vulnerabilities to be non-critical. Mitigation factor This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server. Affected Versions Versions 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-2042 CWE ids: CWE-661 CWE-200 Patches The following commits have been made on the 4.4 branch to fix this issue: 3b96f3600651163b8c1d9b6ff7ebd0b142412993 The following commits have been made on the 4.5 branch to fix this issue: 5a3de108f26e4b0dddadddbe8ccdb1dd5526771f More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - ---------------------------------------------------------------------------- PMASA-2016-7 Announcement-ID: PMASA-2016-7 Date: 2016-01-24 Summary XSS vulnerability in normalization page. Description With a crafted table name it is possible to trigger an XSS attack in the database normalization page. Severity We consider this vulnerability to be non-critical. Mitigation factor This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required page. Affected Versions Versions 4.4.x (prior to 4.4.15.3) and 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.4.15.3 or newer, 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: CVE-2016-2043 CWE ids: CWE-661 CWE-79 Patches The following commits have been made on the 4.4 branch to fix this issue: 8f86713de6163ccd0f8bd9987251a9d17feaee18 The following commits have been made on the 4.5 branch to fix this issue: 019c4f25d500ec5db9ba3b84cc961a7e4e850738 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - ------------------------------------------------------------------------- PMASA-2016-8 Announcement-ID: PMASA-2016-8 Date: 2016-01-24 Summary Full path disclosure vulnerability in SQL parser. Description By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. Severity We consider this vulnerability to be non-critical. Mitigation factor This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server. Affected Versions Versions 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-2044 CWE ids: CWE-661 CWE-200 Patches The following commits have been made on the 4.5 branch to fix this issue: c57d3cc7b97b5f32801032f7bb222297aa97dfea More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - ---------------------------------------------------------------------------- PMASA-2016-9 Announcement-ID: PMASA-2016-9 Date: 2016-01-24 Summary XSS vulnerability in SQL editor. Description With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor. Severity We consider this vulnerability to be non-critical. Mitigation factor This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required pages. Affected Versions Versions 4.5.x (prior to 4.5.4) are affected. Solution Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-2045 CWE ids: CWE-661 CWE-79 Patches The following commits have been made on the 4.5 branch to fix this issue: 0a24f92d081033576bfdd9d4bdec1a54501734c1 11496890d7e21786cbfd9fd17ab968f498116b3f More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVqq0AX6ZAP0PgtI9AQJMtA/8C+7leRubKgQxVEGx+RR63lb3d4fka2aO Sv3U8wh1CO1gj7PQVhhHPDP9455DfeptqFJX7uKbB19hleOscZbuDf7Zw9pTYfeY M1m7r9eb2TmT+S+YkBCsvQt3mvNOKP8B9UUp8nnub8JNmJ6wuZeP1kyKgYACPbKo ie/I+EBfzicWQ55nXnWK2wDdAEoIiKgCSet0GDkh/BemNxTdJkwPecVppWRycAVl /j5gR3qxt63CBPtetX8qnOpQkVxU5yjhhl2wCp46Csdi8cNQ7AYdaWDfb7C7zey7 0GPwqFcPkcBb20rAQBI6errEXgKmtEVzar9pbAM6dV9loHJdTCDES1H5abEvRpFo 2LDGg1ofdzQ2Ckv3wShZbtO/oH5YBSAMOQzQQxybYiSdGheJsBI71YtEvDELI4KE TiZaHUFa4VvSKskjp3X2w08WP1yN19oForIpHhn8J9DFXmuKe3h837anxOl7y5ts VHD72BtIAPpkJJQscixw0eaATtip8zlfUpDChJlsQEKfrNWnneS5XCDsZ7Bc/lg/ rY/D/+yW9U1yJUy/A/jm5H4at1E8xjjz6q/f+Wh2fBkq1dlA6c5UhqQs5dMj6B3Z G9/FHNEyIPaB/zYLTTBpEFC4SAq5SMniXUZnAvWbUgQ4Pl0SBrxd8iC/HSESqD/B cVKp8cxvoug= =a72M -----END PGP SIGNATURE-----