-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1592
        Multiple vulnerabilities have been identified in phpMyAdmin
                               24 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           phpMyAdmin
Publisher:         phpMyAdmin
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Request Forgery      -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5739 CVE-2016-5734 CVE-2016-5733
                   CVE-2016-5732 CVE-2016-5731 CVE-2016-5730
                   CVE-2016-5706 CVE-2016-5705 CVE-2016-5704
                   CVE-2016-5703  

Original Bulletin: 
   https://www.phpmyadmin.net/security/PMASA-2016-19/
   https://www.phpmyadmin.net/security/PMASA-2016-20/
   https://www.phpmyadmin.net/security/PMASA-2016-21/
   https://www.phpmyadmin.net/security/PMASA-2016-22/
   https://www.phpmyadmin.net/security/PMASA-2016-23/
   https://www.phpmyadmin.net/security/PMASA-2016-24/
   https://www.phpmyadmin.net/security/PMASA-2016-25/
   https://www.phpmyadmin.net/security/PMASA-2016-26/
   https://www.phpmyadmin.net/security/PMASA-2016-27/
   https://www.phpmyadmin.net/security/PMASA-2016-28/

Comment: This bulletin contains ten (10) phpMyAdmin security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

PMASA-2016-19

Announcement-ID: PMASA-2016-19

Date: 2016-06-23

Summary

SQL injection attack

Description

A vulnerability was discovered that allows an SQL injection attack to run 
arbitrary commands as the control user.

Severity

We consider this vulnerability to be serious

Mitigation factor

This attack requires a controluser to exist and be configured in 
`config.inc.php`, therefore the attack can be mitigated by temporarily 
disabling the controluser.

Affected Versions

Versions 4.6.x (prior to 4.6.3) and 4.4.x (prior to 4.4.15.7) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7 or newer or apply patch listed below.

References

Thanks to Brian "geeknik" Carpenter for reporting this vulnerability.

Assigned CVE ids: CVE-2016-5703

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

    ef6c66dca1b0cb0a1a482477938cfc859d2baee3

The following commits have been made on the 4.4 branch to fix this issue:

    8a0705008b9b79c9579d1b23ce3fb323b33ea32f

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-20

Announcement-ID: PMASA-2016-20

Date: 2016-06-23

Summary

XSS on table structure page

Description

An XSS vulnerability was discovered on the table structure page

Severity

We consider this to be a serious vulnerability

Affected Versions

All 4.6.x versions (prior to 4.6.3) are affected

Solution

Upgrade to phpMyAdmin 4.6.3 or newer or apply patch listed below.

References

Thanks to Nils Juenemann @totally_unknown for reporting this vulnerability.

Assigned CVE ids: CVE-2016-5704

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

    72213573182896bd6a6e5af5ba1881dd87c4a20b

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-21

Announcement-ID: PMASA-2016-21

Date: 2016-06-23

Summary

Multiple XSS vulnerabilities

Description

    An XSS vulnerability was discovered on the user privileges page.

    An XSS vulnerability was discovered in the error console.

    An XSS vulnerability was discovered in the central columns feature.

    An XSS vulnerability was discovered in the query bookmarks feature.

    An XSS vulnerability was discovered in the user groups feature.

Severity

We consider this to be a serious vulnerability

Affected Versions

All 4.4.x versions (prior to 4.4.15.7) and 4.6.x versions (prior to 4.6.3) are
affected

Solution

Upgrade to phpMyAdmin 4.4.15.7 or 4.6.3 or newer or apply patch listed below.

References

Thanks to Nils Juenemann @totally_unknown and Emanuel Bronshtein @e3amn2l for
reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-5705

CWE ids: CWE-661

Patches

The following commits have been made on the 4.4 branch to fix this issue:

    945ec9e

    a31d7f4

    d4ce93c

    ef2da77

    9be01a7

The following commits have been made on the 4.6 branch to fix this issue:

    03f73d4

    364732e

    57ae483

    0b7416c

    36df83a

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-22

Announcement-ID: PMASA-2016-22

Date: 2016-06-23

Summary

DOS attack

Description

A Denial Of Service (DOS) attack was discovered in the way phpMyAdmin loads 
some JavaScript files.

Severity

We consider this to be of moderate severity

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 
4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch 
listed below.

References

Thanks to Deniz Cevik from Biznet Bilisim for reporting this vulnerability.

Assigned CVE ids: CVE-2016-5706

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

    75724a3

    805225a

The following commits have been made on the 4.4 branch to fix this issue:

    abb3685

    9de4114

The following commits have been made on the 4.6 branch to fix this issue:

    4767f24

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-23

Announcement-ID: PMASA-2016-23

Date: 2016-06-23

Summary

Multiple full path disclosure vulnerabilities

Description

This PMASA contains information on multiple full-path disclosure 
vulnerabilities reported in phpMyAdmin.

By specially crafting requests in the following areas, it is possible to 
trigger phpMyAdmin to display a PHP error message which contains the full path
of the directory where phpMyAdmin is installed.

    1. Setup script

    2. Example OpenID authentication script

Severity

We consider these vulnerabilities to be non-critical.

Mitigation factor

To mitigate these issues, it is possible to remove the setup script and 
examples subdirectories: ./setup/ and ./examples/

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 
4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patches
listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-5730

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

    c9faf85

    e1eb5e8

    96c6a7c

    fa7a9b7

    c795a39

The following commits have been made on the 4.4 branch to fix this issue:

    3108270

    961453b

    3014c4a

    abe88ed

    70e917c

The following commits have been made on the 4.6 branch to fix this issue:

    b0180f1

    96e0aa3

    cd229d7

    331c560

    2766460

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-24

Announcement-ID: PMASA-2016-24

Date: 2016-06-23

Summary

XSS through FPD

Description

With a specially crafted request, it is possible to trigger an XSS attack 
through the example OpenID authentication script.

Severity

We do not consider this vulnerability to be secure due to the non-standard 
required PHP setting for html_errors.

Mitigation factor

The attack requires html_errors = Off in php.ini, so it can be mitigated by 
setting html_errors = On. As an alternative mitigation means, the 
./examples/openid.php file can be removed.

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 
4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch 
listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.

Assigned CVE ids: CVE-2016-5731

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

    5fefa51

    78f6c54

The following commits have been made on the 4.4 branch to fix this issue:

    52e7898

    d005ba6

The following commits have been made on the 4.6 branch to fix this issue:

    94cf386

    418aeea

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-25

Announcement-ID: PMASA-2016-25

Date: 2016-06-23

Summary

XSS in partition range functionality

Description

A vulnerability was reported allowing a specially crafted table parameters to
cause an XSS attack through the table structure page.

Severity

We consider this vulnerability to be severe.

Affected Versions

All 4.6.x versions (prior to 4.6.3) are affected

Solution

Upgrade to phpMyAdmin 4.6.3 or newer or apply patch listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l and Nils Juenemann @totally_unknown for
reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-5732

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

    0815af3

    792cd12

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-26

Announcement-ID: PMASA-2016-26

Date: 2016-06-23

Summary

Multiple XSS vulnerabilities

Description

    	- A vulnerability was reported allowing a specially crafted table name
	to cause an XSS attack through the functionality to check database 
	privileges.

        	- This XSS doesn't exist in some translations due to different
		quotes being used there (eg. Czech).

    	- A vulnerability was reported allowing a specifically-configured 
	MySQL server to execute an XSS attack. This particular attack requires 
	configuring the MySQL server log_bin directive with the payload.

    	- Several XSS vulnerabilities were found with the Transformation 
	feature

    	- Several XSS vulnerabilities were found in AJAX error handling

    	- Several XSS vulnerabilities were found in the Designer feature

    	- An XSS vulnerability was found in the charts feature

    	- An XSS vulnerability was found in the zoom search feature

Severity

We consider these attacks to be of moderate severity.

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 
4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patches
listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l, Nils Juenemann @totally_unknown and 
Mario Heiderich, Cure53 for reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-5733

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

    975089b

    f662d59

    288efea

    02971f7

    abfd979

    b04150e

    b974b56

    9b6f64b

The following commits have been made on the 4.4 branch to fix this issue:

    d184e4d

    e5ab397

    feb911e

    c14709f

    50bf399

    42ff2c1

    5b7a055

    98514fa

The following commits have been made on the 4.6 branch to fix this issue:

    8716855

    d648ade

    be3ecbb

    895a131

    7966161

    615212a

    4d21b5c

    960fd1f

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-27

Announcement-ID: PMASA-2016-27

Date: 2016-06-23

Summary

Unsafe handling of preg_replace parameters

Description

In some versions of PHP, it's possible for an attacker to pass parameters to 
the preg_replace() function which can allow the execution of arbitrary PHP 
code. This code is not properly sanitized in phpMyAdmin as part of the table 
search and replace feature.

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

Using PHP version 5.4.6 or newer doesn't allow null termination of the 
preg_replace string parameter. PHP since 7.0 doesn't allow code execution in 
preg_replace at all.

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 
4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch 
listed below.

References

Thanks to Michal iha and Cure53 using RIPS for discovering these 
vulnerabilities.

Assigned CVE ids: CVE-2016-5734

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

    351019c

The following commits have been made on the 4.4 branch to fix this issue:

    33d1373

    daf3751

The following commits have been made on the 4.6 branch to fix this issue:

    4bcc606

    1cc7466

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- ---

PMASA-2016-28

Announcement-ID: PMASA-2016-28

Date: 2016-06-23

Summary

Referrer leak in transformations

Description

A vulnerability was reported where a specially crafted Transformation could be
used to leak information including the authentication token. This could be 
used to direct a CSRF attack against a user.

Furthermore, the CSP code used in version 4.0.x is outdated and has been 
updated to more modern standards.

Severity

We consider this to be of moderate severity

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 
4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch 
listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.

Assigned CVE ids: CVE-2016-5739

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

    3287519

    8c336ba

The following commits have been made on the 4.4 branch to fix this issue:

    22ad8b6

    adfec38

The following commits have been made on the 4.6 branch to fix this issue:

    1e5716c

    2f49508

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV2yWIox+lLeg9Ub1AQjifg//YVBAPMztlNHeWjCJ1EOdnltsYtjxLPnT
y9TwqcSJtBXduRfjWPrXSQD+i7Vg1gTY8DnhVnJfQ/Hu37WRhMPwLIOKdWEpItls
1ecpcpFGHHrKBTOvExowd1aiQ/XhTQAFgPlzHfDLe3JwhXWU/TsIHO97Qnk6wU9b
ZjvXQSWhMZ1vRHmSMO+HJjIBdmb/fFBW1h+zAMShF4xpfTh5aI4KcFSx31UD6MMe
FY/XeBOQJhXnycWzKPK78XeiG6xG3Wzrk7CSo3jf6mvkmldX+usz/re6fEjdm8Wh
DR13cQnC2liNLxd5nO4AwU90eHg7ilmhdlpGarq50HKuJAhca//kkp6oWbizw4fC
+XII445kgurIfuojCTH7DaBwVFVqaHPSqHTD/rqUjEDvAqZYdF7ApRcnoH/5WU47
M5GeBnJl/uxFiRLCAQ92m87vaIvNLwmM/w7sYERllkZ90dUkQjdtb/j8RNqTZdRp
ofNNFuFc9MtmP40nqzEhTHqLKkMyogmGMTkh/D6MDsOUtjDY/+chrJw5orYEswrz
/kbCWcM43a0KxxAgaFed7CI/f9tH5aUXVghU55RcbqQwKGQzKk/74vhU46KQk2CM
OehdMFeMJgDc1LzQHQeU7j5ylFVre1HYGWkNdVC1nCWH8IK/EzC7RGY+vICE2PHq
3vBudPgTZqs=
=vPnd
-----END PGP SIGNATURE-----