==================================================================== CERT-Renater Note d'Information No. 2016/VULN400 _____________________________________________________________________ DATE : 28/11/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running phpmyadmin versions 4 prior to 4.6.5, 4.4.15.9. ===================================================================== https://www.phpmyadmin.net/security/PMASA-2016-62/ https://www.phpmyadmin.net/security/PMASA-2016-63/ https://www.phpmyadmin.net/security/PMASA-2016-64/ https://www.phpmyadmin.net/security/PMASA-2016-65/ https://www.phpmyadmin.net/security/PMASA-2016-66/ https://www.phpmyadmin.net/security/PMASA-2016-67/ https://www.phpmyadmin.net/security/PMASA-2016-68/ https://www.phpmyadmin.net/security/PMASA-2016-69/ https://www.phpmyadmin.net/security/PMASA-2016-70/ https://www.phpmyadmin.net/security/PMASA-2016-71/ ____________________________________________________________________ PMASA-2016-62 Announcement-ID: PMASA-2016-62 Date: 2016-11-25 Summary Bypass logout timeout Description With a crafted request parameter value it is possible to bypass the logout timeout. Severity We consider this vulnerability to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.4 branch to fix this issue: 8ee12d3 The following commits have been made on the 4.6 branch to fix this issue: fbad6b9 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-63 Announcement-ID: PMASA-2016-63 Date: 2016-11-25 Summary Multiple full path disclosure vulnerabilities Description By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin is written to the export file. Severity We consider these vulnerability to be non-critical. Affected Versions All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.4 branch to fix this issue: 6735d83 ebcd746 The following commits have been made on the 4.6 branch to fix this issue: 6197613 cf83d6a More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-64 Announcement-ID: PMASA-2016-64 Date: 2016-11-25 Summary Multiple XSS vulnerabilities Description Several XSS vulnerabilities have been reported, including an improper fix for PMASA-2016-10 and a weakness in a regular expression using in some JavaScript processing. Severity We consider this vulnerability to be non-critical. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-352 Patches The following commits have been made on the 4.0 branch to fix this issue: c2f7a89 b2605eb The following commits have been made on the 4.4 branch to fix this issue: 4141d69 9473688 The following commits have been made on the 4.6 branch to fix this issue: 6e3282e 3ef6201 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-65 Announcement-ID: PMASA-2016-65 Date: 2016-11-25 Summary Multiple DOS vulnerabilities Description With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. With a crafted request parameter value it is possible to initiate a denial of service attack in import feature. An unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;. Severity We consider these vulnerabilities to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-400 Patches The following commits have been made on the 4.0 branch to fix this issue: 6770062 0c3dfd1 6703597 The following commits have been made on the 4.4 branch to fix this issue: fa3bcff 38e4f77 a9e3827 The following commits have been made on the 4.6 branch to fix this issue: 45e33d6 283f5d1 8119464 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-66 Announcement-ID: PMASA-2016-66 Date: 2016-11-25 Summary Bypass white-list protection for URL redirection Description Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. Severity We consider this vulnerability to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-20 CWE-601 Patches The following commits have been made on the 4.0 branch to fix this issue: af7c589 The following commits have been made on the 4.4 branch to fix this issue: 499a61c The following commits have been made on the 4.6 branch to fix this issue: dac36c3 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-67 Announcement-ID: PMASA-2016-67 Date: 2016-11-25 Summary BBCode injection vulnerability Description With a crafted login request it is possible to inject BBCode in the login page. Severity We consider this vulnerability to be severe. Mitigation factor This exploit requires phpMyAdmin to be configured with the "cookie" auth_type; other authentication methods are not affected. Affected Versions All 4.6.x versions (prior to 4.6.5) are affected. Solution Upgrade to phpMyAdmin 4.6.5 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: 733a5d5 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-68 Announcement-ID: PMASA-2016-68 Date: 2016-11-25 Summary DOS vulnerability in table partitioning Description With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DOS) attack. Severity We consider this vulnerability to be of moderate severity. Affected Versions All 4.6.x versions (prior to 4.6.5) are affected. Solution Upgrade to phpMyAdmin 4.6.5 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-400 Patches The following commits have been made on the 4.6 branch to fix this issue: 7ddcbc0 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-69 Announcement-ID: PMASA-2016-69 Date: 2016-11-25 Updated: 2016-11-26 Summary Multiple SQL injection vulnerabilities Description With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database. Edited to correct an incorrect commit ID for the 4.0 branch. Severity We consider these vulnerabilities to be serious. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 CWE-89 Patches The following commits have been made on the 4.0 branch to fix this issue: 337b380 54875ff The following commits have been made on the 4.4 branch to fix this issue: d69375f 9d0b191 The following commits have been made on the 4.6 branch to fix this issue: d74714c 54875ff More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-70 Announcement-ID: PMASA-2016-70 Date: 2016-11-25 Summary Incorrect serialized string parsing Description Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. Severity We consider this vulnerability to be severe. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 5e108a3 The following commits have been made on the 4.4 branch to fix this issue: 1fc004d The following commits have been made on the 4.6 branch to fix this issue: 17b34be More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ____________________________________________________________________ PMASA-2016-71 Announcement-ID: PMASA-2016-71 Date: 2016-11-25 Summary CSRF token not stripped from the URL Description When the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action. Severity We have not yet determined a severity for this issue. Affected Versions All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. Solution Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.0 branch to fix this issue: 773f126 The following commits have been made on the 4.4 branch to fix this issue: e3f2c74 The following commits have been made on the 4.6 branch to fix this issue: f87358d More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================