FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpMyAdmin -- multiple vulnerabilities

Affected packages
4.6.0 <= phpMyAdmin < 4.6.5

Details

VuXML ID 6fe72178-b2e3-11e6-8b2a-6805ca0b3d42
Discovery 2016-11-25
Entry 2016-11-25

The phpMyAdmin development team reports:

Summary

Open redirection

Description

A vulnerability was discovered where a user can be tricked in to following a link leading to phpMyAdmin, which after authentication redirects to another malicious site.

The attacker must sniff the user's valid phpMyAdmin token.

Severity

We consider this vulnerability to be of moderate severity.

Summary

Unsafe generation of blowfish secret

Description

When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created using a weak algorithm.

This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies.

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

This vulnerability only affects cookie authentication and only when a user has not defined a $cfg['blowfish_secret'] in their config.inc.php

Summary

phpinfo information leak value of sensitive (HttpOnly) cookies

Description

phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies.

Severity

We consider this vulnerability to be non-critical.

Mitigation factor

phpinfo in disabled by default and needs to be enabled explicitly.

Summary

Username deny rules bypass (AllowRoot & Others) by using Null Byte

Description

It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username.

Severity

We consider this vulnerability to be severe.

Summary

Username rule matching issues

Description

A vulnerability in username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time.

Severity

We consider this vulnerability to be severe.

Summary

Bypass logout timeout

Description

With a crafted request parameter value it is possible to bypass the logout timeout.

Severity

We consider this vulnerability to be of moderate severity.

Summary

Multiple full path disclosure vulnerabilities

Description

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin is written to the export file.

Severity

We consider these vulnerability to be non-critical.

Summary

Multiple XSS vulnerabilities

Description

Several XSS vulnerabilities have been reported, including an improper fix for PMASA-2016-10 and a weakness in a regular expression using in some JavaScript processing.

Severity

We consider this vulnerability to be non-critical.

Summary

Multiple DOS vulnerabilities

Description

With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature.

With a crafted request parameter value it is possible to initiate a denial of service attack in import feature.

An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;.

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

Bypass white-list protection for URL redirection

Description

Due to the limitation in URL matching, it was possible to bypass the URL white-list protection.

Severity

We consider this vulnerability to be of moderate severity.

Summary

BBCode injection vulnerability

Description

With a crafted login request it is possible to inject BBCode in the login page.

Severity

We consider this vulnerability to be severe.

Mitigation factor

This exploit requires phpMyAdmin to be configured with the "cookie" auth_type; other authentication methods are not affected.

Summary

DOS vulnerability in table partitioning

Description

With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DOS) attack.

Severity

We consider this vulnerability to be of moderate severity.

Summary

Multiple SQL injection vulnerabilities

Description

With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database.

Severity

We consider these vulnerabilities to be serious.

Summary

Incorrect serialized string parsing

Description

Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function.

Severity

We consider this vulnerability to be severe.

Summary

CSRF token not stripped from the URL

Description

When the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action.

Severity

We have not yet determined a severity for this issue.

References

CVE Name CVE-2016-4412
CVE Name CVE-2016-6632
CVE Name CVE-2016-6633
URL https://www.phpmyadmin.net/security/PMASA-2016-57/
URL https://www.phpmyadmin.net/security/PMASA-2016-58/
URL https://www.phpmyadmin.net/security/PMASA-2016-59/
URL https://www.phpmyadmin.net/security/PMASA-2016-60/
URL https://www.phpmyadmin.net/security/PMASA-2016-61/
URL https://www.phpmyadmin.net/security/PMASA-2016-62/
URL https://www.phpmyadmin.net/security/PMASA-2016-63/
URL https://www.phpmyadmin.net/security/PMASA-2016-64/
URL https://www.phpmyadmin.net/security/PMASA-2016-65/
URL https://www.phpmyadmin.net/security/PMASA-2016-66/
URL https://www.phpmyadmin.net/security/PMASA-2016-67/
URL https://www.phpmyadmin.net/security/PMASA-2016-68/
URL https://www.phpmyadmin.net/security/PMASA-2016-69/
URL https://www.phpmyadmin.net/security/PMASA-2016-70/
URL https://www.phpmyadmin.net/security/PMASA-2016-71/