Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2812 Multiple vulnerabilities have been identified in phpMyAdmin 28 November 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: phpMyAdmin Publisher: phpMyAdmin Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://www.phpmyadmin.net/security/PMASA-2016-62/ https://www.phpmyadmin.net/security/PMASA-2016-63/ https://www.phpmyadmin.net/security/PMASA-2016-64/ https://www.phpmyadmin.net/security/PMASA-2016-65/ https://www.phpmyadmin.net/security/PMASA-2016-66/ https://www.phpmyadmin.net/security/PMASA-2016-67/ https://www.phpmyadmin.net/security/PMASA-2016-68/ https://www.phpmyadmin.net/security/PMASA-2016-69/ https://www.phpmyadmin.net/security/PMASA-2016-70/ https://www.phpmyadmin.net/security/PMASA-2016-71/ Comment: This bulletin contains ten (10) phpMyAdmin security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- PMASA-2016-62 Announcement-ID: PMASA-2016-62 Date: 2016-11-25 Summary Bypass logout timeout Description With a crafted request parameter value it is possible to bypass the logout timeout. Severity We consider this vulnerability to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.4 branch to fix this issue: 8ee12d3 The following commits have been made on the 4.6 branch to fix this issue: fbad6b9 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-63 Announcement-ID: PMASA-2016-63 Date: 2016-11-25 Summary Multiple full path disclosure vulnerabilities Description By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin is written to the export file. Severity We consider these vulnerability to be non-critical. Affected Versions All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.4 branch to fix this issue: 6735d83 ebcd746 The following commits have been made on the 4.6 branch to fix this issue: 6197613 cf83d6a More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-64 Announcement-ID: PMASA-2016-64 Date: 2016-11-25 Summary Multiple XSS vulnerabilities Description Several XSS vulnerabilities have been reported, including an improper fix for PMASA-2016-10 and a weakness in a regular expression using in some JavaScript processing. Severity We consider this vulnerability to be non-critical. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-352 Patches The following commits have been made on the 4.0 branch to fix this issue: c2f7a89 b2605eb The following commits have been made on the 4.4 branch to fix this issue: 4141d69 9473688 The following commits have been made on the 4.6 branch to fix this issue: 6e3282e 3ef6201 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-65 Announcement-ID: PMASA-2016-65 Date: 2016-11-25 Summary Multiple DOS vulnerabilities Description With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;. Severity We consider these vulnerabilities to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-400 Patches The following commits have been made on the 4.0 branch to fix this issue: 6770062 0c3dfd1 6703597 The following commits have been made on the 4.4 branch to fix this issue: fa3bcff 38e4f77 a9e3827 The following commits have been made on the 4.6 branch to fix this issue: 45e33d6 283f5d1 8119464 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-66 Announcement-ID: PMASA-2016-66 Date: 2016-11-25 Summary Bypass white-list protection for URL redirection Description Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. Severity We consider this vulnerability to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-20 CWE-601 Patches The following commits have been made on the 4.0 branch to fix this issue: af7c589 The following commits have been made on the 4.4 branch to fix this issue: 499a61c The following commits have been made on the 4.6 branch to fix this issue: dac36c3 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-67 Announcement-ID: PMASA-2016-67 Date: 2016-11-25 Summary BBCode injection vulnerability Description With a crafted login request it is possible to inject BBCode in the login page. Severity We consider this vulnerability to be severe. Mitigation factor This exploit requires phpMyAdmin to be configured with the "cookie" auth_type; other authentication methods are not affected. Affected Versions All 4.6.x versions (prior to 4.6.5) are affected. Solution Upgrade to phpMyAdmin 4.6.5 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: 733a5d5 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-68 Announcement-ID: PMASA-2016-68 Date: 2016-11-25 Summary DOS vulnerability in table partitioning Description With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DOS) attack. Severity We consider this vulnerability to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5) are affected. Solution Upgrade to phpMyAdmin 4.6.5 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-400 Patches The following commits have been made on the 4.6 branch to fix this issue: 7ddcbc0 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-69 Announcement-ID: PMASA-2016-69 Date: 2016-11-25 Updated: 2016-11-26 Summary Multiple SQL injection vulnerabilities Description With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database. Edited to correct an incorrect commit ID for the 4.0 branch. Severity We consider these vulnerabilities to be serious. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-89 Patches The following commits have been made on the 4.0 branch to fix this issue: 337b380 54875ff The following commits have been made on the 4.4 branch to fix this issue: d69375f 9d0b191 The following commits have been made on the 4.6 branch to fix this issue: d74714c 54875ff More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-70 Announcement-ID: PMASA-2016-70 Date: 2016-11-25 Summary Incorrect serialized string parsing Description Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. Severity We consider this vulnerability to be severe. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 5e108a3 The following commits have been made on the 4.4 branch to fix this issue: 1fc004d The following commits have been made on the 4.6 branch to fix this issue: 17b34be More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --- PMASA-2016-71 Announcement-ID: PMASA-2016-71 Date: 2016-11-25 Summary CSRF token not stripped from the URL Description When the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action. Severity We have not yet determined a severity for this issue. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 773f126 The following commits have been made on the 4.4 branch to fix this issue: e3f2c74 The following commits have been made on the 4.6 branch to fix this issue: f87358d More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWDt5GYx+lLeg9Ub1AQiX2BAAqRcgrEgR8L2K9f6q1fLeY9yBBemacv2B akIQDJHMYwKBXwnW9N2oTE2vr+zIjUT0TjSVoT3YQq+GKZP+b9Sd8jiNiiqce7Oz OmHblVyPcD2cuuU0TnLiX61KgyZzSn8a92i2qJx15PpEQUJiFDCcakY/jtO1dM3w sYde6Aviz2GVNv1l0hpsDbLBHlVBlIiTyLt9HBtlOxHO8+WVxhGmTc55UAOEZOPC Zq6+UwQrPx+Z8aLsd0yx1U9amoIiTxGNnOCKg+UTA9xGlwOd8WKPfc4ujXKZ5x9L aGrgJj775ZfYoEwOj0UbffRy1bzuchETT65cys3c4hBHZ17p1VAqR93KK6LKTUY4 Dtykn5MJSLuHb0Xzj3MkIR+ki1uHAnpp2reqWNgb2T8mj8wnD9csEHwzmMJYdem4 /vCamd5t+3ny8hAnj/+vcu0au2dSO3urVJcD+9y22jp4gApF+e+sIfwqJ/l7C+gN 73Z/XSqmIDk8LEkxw5Ur4yLDc+18CdRi3j7onKC9/UdhKLZgfaxc5lpll+Bjj0/V /LgaIvpL8deMUN1+tjk9GzeFXOOgVqDTBK61fdD2qlxnf9KfKqHuMOAO2IOWCJ8J jcnKXlPxnPf/xhc/Y9AiP3x4gmXuDPXUMqdlzZ3yaldVqqxHP/qJIkQHO8rI/jC9 lYdvONLMUQ4= =e6dB -----END PGP SIGNATURE-----