[arch-security] [ASA-201606-25] phpmyadmin: multiple issues

Sat Jun 25 19:50:44 UTC 2016

Arch Linux Security Advisory ASA-201606-25
==========================================

Severity: High
Date    : 2016-06-25
CVE-ID  : CVE-2016-5701 CVE-2016-5702 CVE-2016-5703 CVE-2016-5704 
          CVE-2016-5705 CVE-2016-5706 CVE-2016-5730 CVE-2016-5731
	  CVE-2016-5732 CVE-2016-5732 CVE-2016-5733 CVE-2016-5739
Package : phpmyadmin
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package phpmyadmin before version 4.6.3-1 is vulnerable to multiple 
issues.

Resolution
==========

Upgrade to 4.6.3-1.

# pacman -Syu "phpmyadmin>=4.6.3-1"

The problems have been fixed upstream in version 4.6.3.

Workaround
==========

None.

Description
===========

- CVE-2016-5702 (cookie attribute injection)

A vulnerability was found where, under some circumstances, an attacker 
can inject arbitrary values in the browser cookies.
Only affected when PHP_SELF is not set.

- CVE-2016-5703 (SQL injection)

A vulnerability was discovered that allows an SQL injection attack to 
run arbitrary commands as the control user.

This attack requires a controluser to exist and be configured in
`config.inc.php`, therefore the attack can be mitigated by temporarily 
disabling the controluser.

- CVE-2016-5704 (cross-side scripting)

An cross-side scripting vulnerability was discovered on the table 
structure page

- CVE-2016-5705 (cross-side scripting)

 * An cross-side scripting vulnerability was discovered on the user 
   privileges page.
 * An cross-side scripting vulnerability was discovered in the error
   console.
 * An cross-side scripting vulnerability was discovered in the central
   columns feature.
 * An cross-side scripting vulnerability was discovered in the
   query bookmarks feature.
 * An cross-side scripting vulnerability was discovered in the user 
   groups feature.

- CVE-2016-5706 (denial of service)

A Denial Of Service (DOS) attack was discovered in the way phpMyAdmin 
loads some JavaScript files.

- CVE-2016-5730 (information disclosure)

By specially crafting requests in the following areas, it is possible 
to trigger phpMyAdmin to display a PHP error message which contains the 
full path of the directory where phpMyAdmin is installed.

1. Setup script 2. Example OpenID authentication script

To mitigate these issues, it is possible to remove the setup script and 
examples subdirectories: ./setup/ and ./examples/.

- CVE-2016-5731 (cross-side scripting)

With a specially crafted request, it is possible to trigger an 
cross-side scripting attack through the example OpenID authentication 
script.
Only affected when the default php.ini is changed and set html_errors = Off.

- CVE-2016-5732 (cross-side scripting)

A vulnerability was reported allowing a specially crafted table 
parameters to cause an cross-side scripting attack through the table 
structure page.

- CVE-2016-57033 (cross-side scripting)

* A vulnerability was reported allowing a specially crafted table name 
  to cause an cross-side scripting attack through the functionality to 
  check database privileges.
* This cross-side scripting doesn't exist in some translations due to 
  different quotes being used there (eg. Czech).
* A vulnerability was reported allowing a specifically-configured
  MySQL server to execute an cross-side scripting attack. This 
  particular attack requires configuring the MySQL server log_bin 
  directive with the payload.
* Several cross-side scripting vulnerabilities were found with the 
  Transformation feature
* Several cross-side scripting vulnerabilities were found in AJAX error 
  handling
* Several cross-side scripting vulnerabilities were found in the 
  Designer feature
* An cross-side scripting vulnerability was found in the charts feature
* An cross-side scripting vulnerability was found in the zoom search 
  feature

- CVE-2016-5739 (information disclosure)

A vulnerability was reported where a specially crafted Transformation 
could be used to leak information including the authentication token.
This could be used to direct a CSRF attack against a user.

Impact
======

A remote attacker might be able to access sensitive information, cause 
a denial of service, cause a cross-side scripting attack or cause an 
SQL injection.

References
==========

https://access.redhat.com/security/cve/CVE-2016-5701
https://access.redhat.com/security/cve/CVE-2016-5702
https://access.redhat.com/security/cve/CVE-2016-5703
https://access.redhat.com/security/cve/CVE-2016-5704
https://access.redhat.com/security/cve/CVE-2016-5705
https://access.redhat.com/security/cve/CVE-2016-5706
https://access.redhat.com/security/cve/CVE-2016-5730
https://access.redhat.com/security/cve/CVE-2016-5731
https://access.redhat.com/security/cve/CVE-2016-5732
https://access.redhat.com/security/cve/CVE-2016-5733
https://access.redhat.com/security/cve/CVE-2016-5739
https://www.phpmyadmin.net/security/PMASA-2016-17/
https://www.phpmyadmin.net/security/PMASA-2016-18/
https://www.phpmyadmin.net/security/PMASA-2016-19/
https://www.phpmyadmin.net/security/PMASA-2016-20/
https://www.phpmyadmin.net/security/PMASA-2016-21/
https://www.phpmyadmin.net/security/PMASA-2016-22/
https://www.phpmyadmin.net/security/PMASA-2016-23/
https://www.phpmyadmin.net/security/PMASA-2016-24/
https://www.phpmyadmin.net/security/PMASA-2016-25/
https://www.phpmyadmin.net/security/PMASA-2016-26/
https://www.phpmyadmin.net/security/PMASA-2016-27/
https://www.phpmyadmin.net/security/PMASA-2016-28/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160625/ddbec90b/attachment.asc>