Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3839
phpMyAdmin security updates
12 December 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: phpMyAdmin
Publisher: phpMyAdmin
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-19970 CVE-2018-19969 CVE-2018-19968
Original Bulletin:
https://www.phpmyadmin.net/security/PMASA-2018-6/
https://www.phpmyadmin.net/security/PMASA-2018-7/
https://www.phpmyadmin.net/security/PMASA-2018-8/
Comment: This bulletin contains three (3) phpMyAdmin security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Announcement-ID: PMASA-2018-6
Date: 2018-12-07
Summary
Local file inclusion through transformation feature
Description
A flaw has been found where an attacker can exploit phpMyAdmin to leak the
contents of a local file. The attacker must have access to the phpMyAdmin
Configuration Storage tables, although these can easily be created in any
database to which the attacker has access. An attacker must have valid
credentials to log in to phpMyAdmin; this vulnerability does not allow an
attacker to circumvent the login system.
Severity
We consider this vulnerability to be severe.
Affected Versions
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
References
This vulnerability was reported by Daniel Le Gall from SCRT
Assigned CVE ids: CVE-2018-19968
CWE ids: CWE-661 CWE-98
Patches
The following commits have been made on the 4.8 branch to fix this issue:
* 6a1ba61e29002f0305a9322a8af4eaaeb11c0732
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- --------------------------------------------------------------------------------
Announcement-ID: PMASA-2018-7
Date: 2018-12-07
Summary
XSRF/CSRF vulnerability in phpMyAdmin
Description
By deceiving a user to click on a crafted URL, it is possible to perform
harmful SQL operations such as renaming databases, creating new tables/
routines, deleting designer pages, adding/deleting users, updating user
passwords, killing SQL processes, etc.
Severity
We consider this vulnerability to be of moderate severity.
Affected Versions
phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 are affected.
Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
References
Thanks to Daniel Le Gall from SCRT, Mustafa Hasan (@strukt93), SI9INT and
Prasetia Ari for reporting this vulnerability.
Assigned CVE ids: CVE-2018-19969
CWE ids: CWE-661 CWE-352
Patches
The following commits have been made on the 4.8 branch to fix this issue:
* f049c127ca21885ab0856a8c562ed1c74961bb5d
* be0660e4c46a1f3f74d86bac41419d5804201502
* 77ea7024bfa75659dea20dacb225f0d48414fd02
* ad7f7fd80192bd9f7f22f4d8d9a8818dd69f3e0c
* 5d781422fb9f0af54e9cf9c85371b4d8c02ac56d
* d6e04ca09b205cbc1e00f26da9d1f3690287a4af
* d9279982a9c24456c061ecc700f69610424e854e
* 3ac68d2edaafea38c3c45e364933456540603c09
* 98ef759676cfc60db56aff657d5f66f818780872
* faced0a344a3e3c2cfe645d400fcddc54dcc7f4e
* d0eede7c566d97f92b5fda1560fa07b583ffc0a4
* 42561e689613e6712920bada4e2f957a96252f97
* ca06ecc87681e7d547271fdbd06816a2bee9be80
* 3d9ed655cc6107bd0e8e6d5f5a5f58d0fc791564
* b72e55acf82a67fcb9d8eb341878f8e9fc7af295
* 9219b28f474f032621b3cc827d12407673e47b08
* 6c03ebad38a64ac1c53f9bae9e9c2d5e0d556bfd
* 7d3f203131231d09a7485c38355f5cb546cbf897
* 2a749337bf9e1319f5d0bc62aae3f79f8f9080d0
* 35d87e607227c4ea0d1613ad39c5bca75b726fca
* 80eaee9c0a1fadc4c7f7ab3838b3fe5eb15a7830
* 259cbc6ab1d61afb3a657ad4a787eefe8278ec29
* c1cdaac2f465dd6b9e17f9f35fd46861ad703a6d
* 1edf1aced6ad963c9f282666150f7f36f1ca449e
* bf3e6c3a77ff5d1fc2a15bba7f0a66e7fcb357e6
* 827e4dcf2ce738d7b320682e97e29ad448f9147f
* b4e1862740b3412aab2f7079649a705f317cb1b0
* 5109c1787e111a87521db94c93d4cb2c46cc29f4
* 88e162b651dfbd64c98ac40976023c4b7d1438bb
* e7e7d56c759366c61824b67f48ec0ba4d5507105
* 593b2571cd8ba5110cd39fee896ea172ca2c81d5
* 737ac997f9271d15f08b20893c9174a312027b74
* 0fe1a3bea88a553407930f83380b88d7591d2bdd
* 79548c0dcfc185f7c31a0c527d952a2b14266ddf
* 89db84213ba1b2b38387632c884c6fe64166f512
* 30543ad81f5151d592e39e3075dd32a7487d8d9e
* 0be9a53fcfd4131c8737f717371570402b292361
* d01ece698a18624ede4bccffd81035da7c27b9a0
* d1d90b59b28ab8be332e442df55864cb858e40dd
* a98207c6de3bde433602273d1cccc7f2f99d7501
* eb13c69f0db2b1158d4b36deef7544fa1a932505
* 79fd80cef5da7f67eed01825b4d4b957d03acffd
* 01e8064e3530a05d8d2975ad29fdd519a952e0ec
* 34972f0132c6e04fc324ad422f2fc609df7a22ec
* 6fd9bfb75b357e375c8992a8c9194411954a8427
* c36592b4e8dfe6e5b2e7c9197c32abdf155df350
* d745d1ce019bf1aa60f19e8ac993389adb81e3a9
* d98b40281b0e8781918240b201b35758b474e595
* e7f1e2697acace0d05356a943174cefeae1cf11e
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- --------------------------------------------------------------------------------
Announcement-ID: PMASA-2018-8
Date: 2018-12-07
Summary
XSS vulnerability in navigation tree
Description
A Cross-Site Scripting vulnerability was found in the navigation tree, where an
attacker can deliver a payload to a user through a specially-crafted database/
table name.
Severity
We consider this attack to be of moderate severity.
Mitigation factor
The stored XSS vulnerabilities can be triggered only by someone who logged in
to phpMyAdmin, as the usual token protection prevents non-logged-in users from
accessing the required forms.
Affected Versions
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
References
Thanks to YU-HSIANG HUANG (huang.yuhsiang.phone@gmail.com), YUNG-HAO TSENG, and
Eddie TC CHANG for reporting this vulnerability.
Assigned CVE ids: CVE-2018-19970
CWE ids: CWE-661 CWE-79
Patches
The following commits have been made on the 4.8 branch to fix this issue:
* b293ff5f234ef493336ed8638f623a12164d359e
More information
For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXBBTnGaOgq3Tt24GAQgAVxAAnofwNr+fjPtkMfuDr8rLC3KKsofVpff6
wnUkAfjqPgzelhxyYxoGYBu/1rWSCgZwJn9p046DAtBieZ55XhTtcaCMBpAWKI5H
UQlvd6rj1+3rRqgSvxU1GfG8Py4NR/HJJX9cTjMaXCkwQNaM0BU75jHbzPOZp6iW
Zx6lDWxzIiPqHj2uapt5eMFZsuyBYgko2lqWu8KpBZFjOyTJ8eqm+eKu51vUGAV2
v9diRDC1p1pm3eDhTNQDJrSL42qgpfUkNV6+uCG0YDiZnxjvV3WE7N6YxW/ywI48
haQMyjsziWhD32/SSYsYs92fv0/IWYM91qNaD34Bk+CL+fcoDqKrsaOIiIiho5X2
QI4oX+fPGTyg51TrKgJNQpFk1/27nadMFNUUMZypBwjOVdJsSKULVLc7WZuL6S5M
AHDLIxbbMBQWV8wWBgA5elnbAJaQRaAoT1ftfwjHozjoo00SW2nPeLTmCCzpfDuN
7NEEKa0OpnPXkXgO6QVEakEBsQCyZvz5vJCTSVNqfgu3zqQxNJ/c6EC4eYeO9Vyf
jOG8dWjXD5sfGBtVfyTl/pCv+0acReVQRXzoi50rOpMcdj1sbS5+nMuLfZBuHA8Q
Yztjq3jZ+cHpIObAmEEPDHySqoVzmqi9YuFfK2kRHA+hkLXo/a+NrnFOuQkl3Nsv
P9M64ZL0qsQ=
=DK8K
-----END PGP SIGNATURE-----