FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpmyadmin -- multiple vulnerabilities

Affected packages
4.6.0 <= phpmyadmin < 4.6.4

Details

VuXML ID ef70b201-645d-11e6-9cdc-6805ca0b3d42
Discovery 2016-08-17
Entry 2016-08-17

The phpmyadmin development team reports:

Summary

Weakness with cookie encryption

Description

A pair of vulnerabilities were found affecting the way cookies are stored.

Severity

We consider this to be critical.

Summary

Multiple XSS vulnerabilities

Description

Multiple vulnerabilities have been discovered in the following areas of phpMyAdmin:

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

Multiple XSS vulnerabilities

Description

XSS vulnerabilities were discovered in:

Specially crafted database names can trigger the XSS attack.

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

PHP code injection

Description

A vulnerability was found where a specially crafted database name could be used to run arbitrary PHP commands through the array export feature

Severity

We consider these vulnerabilities to be of moderate severity.

Summary

Full path disclosure

Description

A full path disclosure vulnerability was discovered where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk.

Severity

We consider this vulnerability to be non-critical.

Summary

SQL injection attack

Description

A vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality.

Severity

We consider this vulnerability to be serious

Summary

Local file exposure

Description

A vulnerability was discovered where a user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system.

Severity

We consider this vulnerability to be serious.

Summary

Local file exposure through symlinks with UploadDir

Description

A vulnerability was found where a user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user.

Severity

We consider this vulnerability to be serious, however due to the mitigation factors the default state is not vulnerable.

Mitigation factor

1) The installation must be run with UploadDir configured (not the default) 2) The user must be able to create a symlink in the UploadDir 3) The user running the phpMyAdmin application must be able to read the file

Summary

Path traversal with SaveDir and UploadDir

Description

A vulnerability was reported with the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system.

Severity

We consider this vulnerability to be serious, however due to the mitigation factors the default state is not vulnerable.

Mitigation factor

1) A system must be configured with the %u username replacement, such as `$cfg['SaveDir'] = 'SaveDir_%u';` 2) The user must be able to create a specially-crafted MySQL user, including the `/.` sequence of characters, such as `/../../`

Summary

Multiple XSS vulnerabilities

Description

Multiple XSS vulnerabilities were found in the following areas:

Severity

We consider this vulnerability to be non-critical.

Summary

SQL injection attack

Description

A vulnerability was discovered in the following features where a user can execute an SQL injection attack against the account of the control user: User group Designer

Severity

We consider this vulnerability to be serious.

Mitigation factor

The server must have a control user account created in MySQL and configured in phpMyAdmin; installations without a control user are not vulnerable.

Summary

SQL injection attack

Description

A vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality.

Severity

We consider this vulnerability to be serious

Summary

Denial of service (DOS) attack in transformation feature

Description

A vulnerability was found in the transformation feature allowing a user to trigger a denial-of-service (DOS) attack against the server.

Severity

We consider this vulnerability to be non-critical

Summary

SQL injection attack as control user

Description

A vulnerability was discovered in the user interface preference feature where a user can execute an SQL injection attack against the account of the control user.

Severity

We consider this vulnerability to be serious.

Mitigation factor

The server must have a control user account created in MySQL and configured in phpMyAdmin; installations without a control user are not vulnerable.

Summary

Unvalidated data passed to unserialize()

Description

A vulnerability was reported where some data is passed to the PHP unserialize() function without verification that it's valid serialized data.

Due to how the PHP function operates,

Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.

Therefore, a malicious user may be able to manipulate the stored data in a way to exploit this weakness.

Severity

We consider this vulnerability to be moderately severe.

Summary

DOS attack with forced persistent connections

Description

A vulnerability was discovered where an unauthenticated user is able to execute a denial-of-service (DOS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;.

Severity

We consider this vulnerability to be critical, although note that phpMyAdmin is not vulnerable by default.

Summary

Denial of service (DOS) attack by for loops

Description

A vulnerability has been reported where a malicious authorized user can cause a denial-of-service (DOS) attack on a server by passing large values to a loop.

Severity

We consider this issue to be of moderate severity.

Summary

IPv6 and proxy server IP-based authentication rule circumvention

Description

A vulnerability was discovered where, under certain circumstances, it may be possible to circumvent the phpMyAdmin IP-based authentication rules.

When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules.

Severity

We consider this vulnerability to be serious

Mitigation factor

* The phpMyAdmin installation must be running with IP-based allow/deny rules * The phpMyAdmin installation must be running behind a proxy server (or proxy servers) where the proxy server is "allowed" and the attacker is "denied" * The connection between the proxy server and phpMyAdmin must be via IPv6

Summary

Detect if user is logged in

Description

A vulnerability was reported where an attacker can determine whether a user is logged in to phpMyAdmin.

The user's session, username, and password are not compromised by this vulnerability.

Severity

We consider this vulnerability to be non-critical.

Summary

Bypass URL redirect protection

Description

A vulnerability was discovered where an attacker could redirect a user to a malicious web page.

Severity

We consider this to be of moderate severity

Summary

Referrer leak in url.php

Description

A vulnerability was discovered where an attacker can determine the phpMyAdmin host location through the file url.php.

Severity

We consider this to be of moderate severity.

Summary

Reflected File Download attack

Description

A vulnerability was discovered where an attacker may be able to trigger a user to download a specially crafted malicious SVG file.

Severity

We consider this issue to be of moderate severity.

Summary

ArbitraryServerRegexp bypass

Description

A vulnerability was reported with the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp.

Severity

We consider this vulnerability to be critical.

Mitigation factor

Only servers using `$cfg['ArbitraryServerRegexp']` are vulnerable to this attack.

Summary

Denial of service (DOS) attack by changing password to a very long string

Description

An authenticated user can trigger a denial-of-service (DOS) attack by entering a very long password at the change password dialog.

Severity

We consider this vulnerability to be serious.

Summary

Remote code execution vulnerability when run as CGI

Description

A vulnerability was discovered where a user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh.

Severity

We consider this vulnerability to be critical.

Mitigation factor

The file `/libraries/plugins/transformations/generator_plugin.sh` may be removed. Under certain server configurations, it may be sufficient to remove execute permissions for this file.

Summary

Denial of service (DOS) attack with dbase extension

Description

A flaw was discovered where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files.

Severity

We consider this vulnerability to be non-critical.

Mitigation factor

This vulnerability only exists when PHP is running with the dbase extension, which is not shipped by default, not available in most Linux distributions, and doesn't compile with PHP7.

Summary

Remote code execution vulnerability when PHP is running with dbase extension

Description

A vulnerability was discovered where phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations.

Severity

We consider this vulnerability to be critical.

Mitigation factor

This vulnerability only exists when PHP is running with the dbase extension, which is not shipped by default, not available in most Linux distributions, and doesn't compile with PHP7.

References

CVE Name CVE-2016-6606
CVE Name CVE-2016-6607
CVE Name CVE-2016-6608
CVE Name CVE-2016-6609
CVE Name CVE-2016-6610
CVE Name CVE-2016-6611
CVE Name CVE-2016-6612
CVE Name CVE-2016-6613
CVE Name CVE-2016-6614
CVE Name CVE-2016-6615
CVE Name CVE-2016-6616
CVE Name CVE-2016-6617
CVE Name CVE-2016-6618
CVE Name CVE-2016-6619
CVE Name CVE-2016-6620
CVE Name CVE-2016-6622
CVE Name CVE-2016-6623
CVE Name CVE-2016-6624
CVE Name CVE-2016-6625
CVE Name CVE-2016-6626
CVE Name CVE-2016-6627
CVE Name CVE-2016-6628
CVE Name CVE-2016-6629
CVE Name CVE-2016-6630
CVE Name CVE-2016-6631
CVE Name CVE-2016-6632
CVE Name CVE-2016-6633
URL https://www.phpmyadmin.net/security/PMASA-2016-29/
URL https://www.phpmyadmin.net/security/PMASA-2016-30/
URL https://www.phpmyadmin.net/security/PMASA-2016-31/
URL https://www.phpmyadmin.net/security/PMASA-2016-32/
URL https://www.phpmyadmin.net/security/PMASA-2016-33/
URL https://www.phpmyadmin.net/security/PMASA-2016-34/
URL https://www.phpmyadmin.net/security/PMASA-2016-35/
URL https://www.phpmyadmin.net/security/PMASA-2016-36/
URL https://www.phpmyadmin.net/security/PMASA-2016-37/
URL https://www.phpmyadmin.net/security/PMASA-2016-38/
URL https://www.phpmyadmin.net/security/PMASA-2016-39/
URL https://www.phpmyadmin.net/security/PMASA-2016-40/
URL https://www.phpmyadmin.net/security/PMASA-2016-41/
URL https://www.phpmyadmin.net/security/PMASA-2016-42/
URL https://www.phpmyadmin.net/security/PMASA-2016-43/
URL https://www.phpmyadmin.net/security/PMASA-2016-45/
URL https://www.phpmyadmin.net/security/PMASA-2016-46/
URL https://www.phpmyadmin.net/security/PMASA-2016-47/
URL https://www.phpmyadmin.net/security/PMASA-2016-48/
URL https://www.phpmyadmin.net/security/PMASA-2016-49/
URL https://www.phpmyadmin.net/security/PMASA-2016-50/
URL https://www.phpmyadmin.net/security/PMASA-2016-51/
URL https://www.phpmyadmin.net/security/PMASA-2016-52/
URL https://www.phpmyadmin.net/security/PMASA-2016-53/
URL https://www.phpmyadmin.net/security/PMASA-2016-54/
URL https://www.phpmyadmin.net/security/PMASA-2016-55/
URL https://www.phpmyadmin.net/security/PMASA-2016-56/