Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3839 phpMyAdmin security updates 12 December 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: phpMyAdmin Publisher: phpMyAdmin Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-19970 CVE-2018-19969 CVE-2018-19968 Original Bulletin: https://www.phpmyadmin.net/security/PMASA-2018-6/ https://www.phpmyadmin.net/security/PMASA-2018-7/ https://www.phpmyadmin.net/security/PMASA-2018-8/ Comment: This bulletin contains three (3) phpMyAdmin security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Announcement-ID: PMASA-2018-6 Date: 2018-12-07 Summary Local file inclusion through transformation feature Description A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. Severity We consider this vulnerability to be severe. Affected Versions phpMyAdmin versions from at least 4.0 through 4.8.3 are affected Solution Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below. References This vulnerability was reported by Daniel Le Gall from SCRT Assigned CVE ids: CVE-2018-19968 CWE ids: CWE-661 CWE-98 Patches The following commits have been made on the 4.8 branch to fix this issue: * 6a1ba61e29002f0305a9322a8af4eaaeb11c0732 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - -------------------------------------------------------------------------------- Announcement-ID: PMASA-2018-7 Date: 2018-12-07 Summary XSRF/CSRF vulnerability in phpMyAdmin Description By deceiving a user to click on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/ routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. Severity We consider this vulnerability to be of moderate severity. Affected Versions phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 are affected. Solution Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below. References Thanks to Daniel Le Gall from SCRT, Mustafa Hasan (@strukt93), SI9INT and Prasetia Ari for reporting this vulnerability. Assigned CVE ids: CVE-2018-19969 CWE ids: CWE-661 CWE-352 Patches The following commits have been made on the 4.8 branch to fix this issue: * f049c127ca21885ab0856a8c562ed1c74961bb5d * be0660e4c46a1f3f74d86bac41419d5804201502 * 77ea7024bfa75659dea20dacb225f0d48414fd02 * ad7f7fd80192bd9f7f22f4d8d9a8818dd69f3e0c * 5d781422fb9f0af54e9cf9c85371b4d8c02ac56d * d6e04ca09b205cbc1e00f26da9d1f3690287a4af * d9279982a9c24456c061ecc700f69610424e854e * 3ac68d2edaafea38c3c45e364933456540603c09 * 98ef759676cfc60db56aff657d5f66f818780872 * faced0a344a3e3c2cfe645d400fcddc54dcc7f4e * d0eede7c566d97f92b5fda1560fa07b583ffc0a4 * 42561e689613e6712920bada4e2f957a96252f97 * ca06ecc87681e7d547271fdbd06816a2bee9be80 * 3d9ed655cc6107bd0e8e6d5f5a5f58d0fc791564 * b72e55acf82a67fcb9d8eb341878f8e9fc7af295 * 9219b28f474f032621b3cc827d12407673e47b08 * 6c03ebad38a64ac1c53f9bae9e9c2d5e0d556bfd * 7d3f203131231d09a7485c38355f5cb546cbf897 * 2a749337bf9e1319f5d0bc62aae3f79f8f9080d0 * 35d87e607227c4ea0d1613ad39c5bca75b726fca * 80eaee9c0a1fadc4c7f7ab3838b3fe5eb15a7830 * 259cbc6ab1d61afb3a657ad4a787eefe8278ec29 * c1cdaac2f465dd6b9e17f9f35fd46861ad703a6d * 1edf1aced6ad963c9f282666150f7f36f1ca449e * bf3e6c3a77ff5d1fc2a15bba7f0a66e7fcb357e6 * 827e4dcf2ce738d7b320682e97e29ad448f9147f * b4e1862740b3412aab2f7079649a705f317cb1b0 * 5109c1787e111a87521db94c93d4cb2c46cc29f4 * 88e162b651dfbd64c98ac40976023c4b7d1438bb * e7e7d56c759366c61824b67f48ec0ba4d5507105 * 593b2571cd8ba5110cd39fee896ea172ca2c81d5 * 737ac997f9271d15f08b20893c9174a312027b74 * 0fe1a3bea88a553407930f83380b88d7591d2bdd * 79548c0dcfc185f7c31a0c527d952a2b14266ddf * 89db84213ba1b2b38387632c884c6fe64166f512 * 30543ad81f5151d592e39e3075dd32a7487d8d9e * 0be9a53fcfd4131c8737f717371570402b292361 * d01ece698a18624ede4bccffd81035da7c27b9a0 * d1d90b59b28ab8be332e442df55864cb858e40dd * a98207c6de3bde433602273d1cccc7f2f99d7501 * eb13c69f0db2b1158d4b36deef7544fa1a932505 * 79fd80cef5da7f67eed01825b4d4b957d03acffd * 01e8064e3530a05d8d2975ad29fdd519a952e0ec * 34972f0132c6e04fc324ad422f2fc609df7a22ec * 6fd9bfb75b357e375c8992a8c9194411954a8427 * c36592b4e8dfe6e5b2e7c9197c32abdf155df350 * d745d1ce019bf1aa60f19e8ac993389adb81e3a9 * d98b40281b0e8781918240b201b35758b474e595 * e7f1e2697acace0d05356a943174cefeae1cf11e More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - -------------------------------------------------------------------------------- Announcement-ID: PMASA-2018-8 Date: 2018-12-07 Summary XSS vulnerability in navigation tree Description A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/ table name. Severity We consider this attack to be of moderate severity. Mitigation factor The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms. Affected Versions phpMyAdmin versions from at least 4.0 through 4.8.3 are affected Solution Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below. References Thanks to YU-HSIANG HUANG (huang.yuhsiang.phone@gmail.com), YUNG-HAO TSENG, and Eddie TC CHANG for reporting this vulnerability. Assigned CVE ids: CVE-2018-19970 CWE ids: CWE-661 CWE-79 Patches The following commits have been made on the 4.8 branch to fix this issue: * b293ff5f234ef493336ed8638f623a12164d359e More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXBBTnGaOgq3Tt24GAQgAVxAAnofwNr+fjPtkMfuDr8rLC3KKsofVpff6 wnUkAfjqPgzelhxyYxoGYBu/1rWSCgZwJn9p046DAtBieZ55XhTtcaCMBpAWKI5H UQlvd6rj1+3rRqgSvxU1GfG8Py4NR/HJJX9cTjMaXCkwQNaM0BU75jHbzPOZp6iW Zx6lDWxzIiPqHj2uapt5eMFZsuyBYgko2lqWu8KpBZFjOyTJ8eqm+eKu51vUGAV2 v9diRDC1p1pm3eDhTNQDJrSL42qgpfUkNV6+uCG0YDiZnxjvV3WE7N6YxW/ywI48 haQMyjsziWhD32/SSYsYs92fv0/IWYM91qNaD34Bk+CL+fcoDqKrsaOIiIiho5X2 QI4oX+fPGTyg51TrKgJNQpFk1/27nadMFNUUMZypBwjOVdJsSKULVLc7WZuL6S5M AHDLIxbbMBQWV8wWBgA5elnbAJaQRaAoT1ftfwjHozjoo00SW2nPeLTmCCzpfDuN 7NEEKa0OpnPXkXgO6QVEakEBsQCyZvz5vJCTSVNqfgu3zqQxNJ/c6EC4eYeO9Vyf jOG8dWjXD5sfGBtVfyTl/pCv+0acReVQRXzoi50rOpMcdj1sbS5+nMuLfZBuHA8Q Yztjq3jZ+cHpIObAmEEPDHySqoVzmqi9YuFfK2kRHA+hkLXo/a+NrnFOuQkl3Nsv P9M64ZL0qsQ= =DK8K -----END PGP SIGNATURE-----