Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1592 Multiple vulnerabilities have been identified in phpMyAdmin 24 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: phpMyAdmin Publisher: phpMyAdmin Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-5739 CVE-2016-5734 CVE-2016-5733 CVE-2016-5732 CVE-2016-5731 CVE-2016-5730 CVE-2016-5706 CVE-2016-5705 CVE-2016-5704 CVE-2016-5703 Original Bulletin: https://www.phpmyadmin.net/security/PMASA-2016-19/ https://www.phpmyadmin.net/security/PMASA-2016-20/ https://www.phpmyadmin.net/security/PMASA-2016-21/ https://www.phpmyadmin.net/security/PMASA-2016-22/ https://www.phpmyadmin.net/security/PMASA-2016-23/ https://www.phpmyadmin.net/security/PMASA-2016-24/ https://www.phpmyadmin.net/security/PMASA-2016-25/ https://www.phpmyadmin.net/security/PMASA-2016-26/ https://www.phpmyadmin.net/security/PMASA-2016-27/ https://www.phpmyadmin.net/security/PMASA-2016-28/ Comment: This bulletin contains ten (10) phpMyAdmin security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- PMASA-2016-19 Announcement-ID: PMASA-2016-19 Date: 2016-06-23 Summary SQL injection attack Description A vulnerability was discovered that allows an SQL injection attack to run arbitrary commands as the control user. Severity We consider this vulnerability to be serious Mitigation factor This attack requires a controluser to exist and be configured in `config.inc.php`, therefore the attack can be mitigated by temporarily disabling the controluser. Affected Versions Versions 4.6.x (prior to 4.6.3) and 4.4.x (prior to 4.4.15.7) are affected Solution Upgrade to phpMyAdmin 4.6.3, 4.4.15.7 or newer or apply patch listed below. References Thanks to Brian "geeknik" Carpenter for reporting this vulnerability. Assigned CVE ids: CVE-2016-5703 CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: ef6c66dca1b0cb0a1a482477938cfc859d2baee3 The following commits have been made on the 4.4 branch to fix this issue: 8a0705008b9b79c9579d1b23ce3fb323b33ea32f More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-20 Announcement-ID: PMASA-2016-20 Date: 2016-06-23 Summary XSS on table structure page Description An XSS vulnerability was discovered on the table structure page Severity We consider this to be a serious vulnerability Affected Versions All 4.6.x versions (prior to 4.6.3) are affected Solution Upgrade to phpMyAdmin 4.6.3 or newer or apply patch listed below. References Thanks to Nils Juenemann @totally_unknown for reporting this vulnerability. Assigned CVE ids: CVE-2016-5704 CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: 72213573182896bd6a6e5af5ba1881dd87c4a20b More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-21 Announcement-ID: PMASA-2016-21 Date: 2016-06-23 Summary Multiple XSS vulnerabilities Description An XSS vulnerability was discovered on the user privileges page. An XSS vulnerability was discovered in the error console. An XSS vulnerability was discovered in the central columns feature. An XSS vulnerability was discovered in the query bookmarks feature. An XSS vulnerability was discovered in the user groups feature. Severity We consider this to be a serious vulnerability Affected Versions All 4.4.x versions (prior to 4.4.15.7) and 4.6.x versions (prior to 4.6.3) are affected Solution Upgrade to phpMyAdmin 4.4.15.7 or 4.6.3 or newer or apply patch listed below. References Thanks to Nils Juenemann @totally_unknown and Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-5705 CWE ids: CWE-661 Patches The following commits have been made on the 4.4 branch to fix this issue: 945ec9e a31d7f4 d4ce93c ef2da77 9be01a7 The following commits have been made on the 4.6 branch to fix this issue: 03f73d4 364732e 57ae483 0b7416c 36df83a More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-22 Announcement-ID: PMASA-2016-22 Date: 2016-06-23 Summary DOS attack Description A Denial Of Service (DOS) attack was discovered in the way phpMyAdmin loads some JavaScript files. Severity We consider this to be of moderate severity Affected Versions All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected Solution Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch listed below. References Thanks to Deniz Cevik from Biznet Bilisim for reporting this vulnerability. Assigned CVE ids: CVE-2016-5706 CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 75724a3 805225a The following commits have been made on the 4.4 branch to fix this issue: abb3685 9de4114 The following commits have been made on the 4.6 branch to fix this issue: 4767f24 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-23 Announcement-ID: PMASA-2016-23 Date: 2016-06-23 Summary Multiple full path disclosure vulnerabilities Description This PMASA contains information on multiple full-path disclosure vulnerabilities reported in phpMyAdmin. By specially crafting requests in the following areas, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. 1. Setup script 2. Example OpenID authentication script Severity We consider these vulnerabilities to be non-critical. Mitigation factor To mitigate these issues, it is possible to remove the setup script and examples subdirectories: ./setup/ and ./examples/ Affected Versions All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected Solution Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patches listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-5730 CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: c9faf85 e1eb5e8 96c6a7c fa7a9b7 c795a39 The following commits have been made on the 4.4 branch to fix this issue: 3108270 961453b 3014c4a abe88ed 70e917c The following commits have been made on the 4.6 branch to fix this issue: b0180f1 96e0aa3 cd229d7 331c560 2766460 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-24 Announcement-ID: PMASA-2016-24 Date: 2016-06-23 Summary XSS through FPD Description With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script. Severity We do not consider this vulnerability to be secure due to the non-standard required PHP setting for html_errors. Mitigation factor The attack requires html_errors = Off in php.ini, so it can be mitigated by setting html_errors = On. As an alternative mitigation means, the ./examples/openid.php file can be removed. Affected Versions All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected Solution Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: CVE-2016-5731 CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 5fefa51 78f6c54 The following commits have been made on the 4.4 branch to fix this issue: 52e7898 d005ba6 The following commits have been made on the 4.6 branch to fix this issue: 94cf386 418aeea More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-25 Announcement-ID: PMASA-2016-25 Date: 2016-06-23 Summary XSS in partition range functionality Description A vulnerability was reported allowing a specially crafted table parameters to cause an XSS attack through the table structure page. Severity We consider this vulnerability to be severe. Affected Versions All 4.6.x versions (prior to 4.6.3) are affected Solution Upgrade to phpMyAdmin 4.6.3 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l and Nils Juenemann @totally_unknown for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-5732 CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: 0815af3 792cd12 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-26 Announcement-ID: PMASA-2016-26 Date: 2016-06-23 Summary Multiple XSS vulnerabilities Description - A vulnerability was reported allowing a specially crafted table name to cause an XSS attack through the functionality to check database privileges. - This XSS doesn't exist in some translations due to different quotes being used there (eg. Czech). - A vulnerability was reported allowing a specifically-configured MySQL server to execute an XSS attack. This particular attack requires configuring the MySQL server log_bin directive with the payload. - Several XSS vulnerabilities were found with the Transformation feature - Several XSS vulnerabilities were found in AJAX error handling - Several XSS vulnerabilities were found in the Designer feature - An XSS vulnerability was found in the charts feature - An XSS vulnerability was found in the zoom search feature Severity We consider these attacks to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected Solution Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patches listed below. References Thanks to Emanuel Bronshtein @e3amn2l, Nils Juenemann @totally_unknown and Mario Heiderich, Cure53 for reporting these vulnerabilities. Assigned CVE ids: CVE-2016-5733 CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 975089b f662d59 288efea 02971f7 abfd979 b04150e b974b56 9b6f64b The following commits have been made on the 4.4 branch to fix this issue: d184e4d e5ab397 feb911e c14709f 50bf399 42ff2c1 5b7a055 98514fa The following commits have been made on the 4.6 branch to fix this issue: 8716855 d648ade be3ecbb 895a131 7966161 615212a 4d21b5c 960fd1f More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-27 Announcement-ID: PMASA-2016-27 Date: 2016-06-23 Summary Unsafe handling of preg_replace parameters Description In some versions of PHP, it's possible for an attacker to pass parameters to the preg_replace() function which can allow the execution of arbitrary PHP code. This code is not properly sanitized in phpMyAdmin as part of the table search and replace feature. Severity We consider this vulnerability to be of moderate severity. Mitigation factor Using PHP version 5.4.6 or newer doesn't allow null termination of the preg_replace string parameter. PHP since 7.0 doesn't allow code execution in preg_replace at all. Affected Versions All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected Solution Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch listed below. References Thanks to Michal iha and Cure53 using RIPS for discovering these vulnerabilities. Assigned CVE ids: CVE-2016-5734 CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 351019c The following commits have been made on the 4.4 branch to fix this issue: 33d1373 daf3751 The following commits have been made on the 4.6 branch to fix this issue: 4bcc606 1cc7466 The following commits have been made to fix this issue: More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-28 Announcement-ID: PMASA-2016-28 Date: 2016-06-23 Summary Referrer leak in transformations Description A vulnerability was reported where a specially crafted Transformation could be used to leak information including the authentication token. This could be used to direct a CSRF attack against a user. Furthermore, the CSP code used in version 4.0.x is outdated and has been updated to more modern standards. Severity We consider this to be of moderate severity Affected Versions All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected Solution Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: CVE-2016-5739 CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 3287519 8c336ba The following commits have been made on the 4.4 branch to fix this issue: 22ad8b6 adfec38 The following commits have been made on the 4.6 branch to fix this issue: 1e5716c 2f49508 The following commits have been made to fix this issue: More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV2yWIox+lLeg9Ub1AQjifg//YVBAPMztlNHeWjCJ1EOdnltsYtjxLPnT y9TwqcSJtBXduRfjWPrXSQD+i7Vg1gTY8DnhVnJfQ/Hu37WRhMPwLIOKdWEpItls 1ecpcpFGHHrKBTOvExowd1aiQ/XhTQAFgPlzHfDLe3JwhXWU/TsIHO97Qnk6wU9b ZjvXQSWhMZ1vRHmSMO+HJjIBdmb/fFBW1h+zAMShF4xpfTh5aI4KcFSx31UD6MMe FY/XeBOQJhXnycWzKPK78XeiG6xG3Wzrk7CSo3jf6mvkmldX+usz/re6fEjdm8Wh DR13cQnC2liNLxd5nO4AwU90eHg7ilmhdlpGarq50HKuJAhca//kkp6oWbizw4fC +XII445kgurIfuojCTH7DaBwVFVqaHPSqHTD/rqUjEDvAqZYdF7ApRcnoH/5WU47 M5GeBnJl/uxFiRLCAQ92m87vaIvNLwmM/w7sYERllkZ90dUkQjdtb/j8RNqTZdRp ofNNFuFc9MtmP40nqzEhTHqLKkMyogmGMTkh/D6MDsOUtjDY/+chrJw5orYEswrz /kbCWcM43a0KxxAgaFed7CI/f9tH5aUXVghU55RcbqQwKGQzKk/74vhU46KQk2CM OehdMFeMJgDc1LzQHQeU7j5ylFVre1HYGWkNdVC1nCWH8IK/EzC7RGY+vICE2PHq 3vBudPgTZqs= =vPnd -----END PGP SIGNATURE-----