phpMyAdmin 4.0.10.x < 4.0.10.18 / 4.4.15.x < 4.4.15.9 / 4.6.x < 4.6.5 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9830

Synopsis

The remote web server contains a version of phpMyAdmin that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin 4.0.10.x prior to 4.0.10.18, 4.4.15.x prior to 4.4.15.9, and 4.6.x prior to 4.6.5 are unpatched, and therefore affected by the following vulnerabilities :

- A flaw exists in 'blowfish_secret' that is triggered as key values are created using an insecure algorithm. This may allow a context-dependent attacker to potentially decrypt cookies and steal sensitive information.
- A flaw exists in the 'phpinfo.php' script that is due to the script exposing the values of HttpOnly cookies. This may allow a remote attacker to gain access to potentially sensitive information.
- A flaw exists in the 'libraries/plugins/auth/AuthenticationCookie.php' script that is triggered when handling NULL bytes in usernames. This may allow a remote attacker to bypass "$cfg['Servers'][$i]['AllowRoot']" AllowRoot restrictions.
- A flaw exists in the 'libraries/ip_allow_deny.lib.php' script that is triggered by non-constant execution time during username matching. This may allow a remote attacker to bypass allow / deny rules.
- A flaw exists that is triggered when handling input supplied via the 'last_access_time' parameter. This may allow a remote attacker to bypass the logout timeout feature.
- A flaw exists in the 'libraries/VersionInformation.php' script related to the 'fopen' wrapper. This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists in 'libraries/VersionInformation.php' related to the 'curl' wrapper. This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists in the 'setCriterias()' function in 'libraries/SavedSearches.class.php' that is triggered as input passed via certain parameters is not properly sanitized in the saved search functionality. This may allow an authenticated remote attacker to cause a denial of service.
- A flaw exists in the 'import.php' script that is triggered as input passed via the skip value is not properly sanitized. This may allow an authenticated remote attacker to cause a denial of service.
- A flaw exists in the 'hash_hmac()' function in 'libraries/core.lib.php' that is triggered during the handling of MySQL host names. This may allow a remote attacker to cause a denial of service attack.
- A flaw exists in the 'PMA_linkURL()' function in 'libraries/core.lib.php' that is due to a limitation in URL matching. This may allow a remote attacker to bypass URL whitelist protection mechanisms.
- A flaw exists in the 'getErrorMessage()' function in 'libraries/plugins/AuthenticationPlugin.php' that is triggered during the handling of a specially crafted login request. This may allow a remote attacker to inject BBCode in the login page.
- A flaw exists in the 'libraries/tbl_partition_definition.inc.php' script that is triggered during the handling of a very large request to table partitioning function. This may allow an authenticated remote attacker to cause a denial of service.
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'isTracked()' function in the 'libraries/Tracker.class.php' script not properly sanitizing input to the 'user' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'PMA_exportAsFileDownload()' function in the 'libraries/tracking.lib.php' script not properly sanitizing input to the 'table' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists in the 'PMA_safeUnserialize()' function in 'libraries/core.lib.php' that is triggered during the parsing of serialized strings. This may allow a remote attacker to bypass unserialization protection mechanisms.
- A flaw exists in the 'prefs_manage.php' script that is triggered as the CSRF tokens are not properly stripped from return URLs of the preference import action when 'arg_separator' differs from its default value. This may allow a context-dependent attacker to potentially disclose token information.
- A flaw exists that allows multiple cross-site scripting (XSS) attacks. This flaw exists because the program does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to phpMyAdmin version 4.6.5 or later. If 4.6.5 cannot be obtained, versions 4.4.15.9 and 4.0.10.18 have also been patched for these vulnerabilities.

See Also

https://www.phpmyadmin.net/security/PMASA-2016-70

Plugin Details

Severity: Critical

ID: 9830

Family: CGI

Published: 12/16/2016

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Patch Publication Date: 11/25/2016

Vulnerability Publication Date: 11/25/2016

Reference Information

CVE: CVE-2016-6621, CVE-2016-9847, CVE-2016-9848, CVE-2016-9849, CVE-2016-9850, CVE-2016-9851, CVE-2016-9852, CVE-2016-9853, CVE-2016-9856, CVE-2016-9857, CVE-2016-9858, CVE-2016-9859, CVE-2016-9860, CVE-2016-9861, CVE-2016-9862, CVE-2016-9863, CVE-2016-9864, CVE-2016-9865, CVE-2016-9866