Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 478696 (CVE-2013-4995)

Summary: <dev-db/phpmyadmin-{3.5.8.2,4.0.4.2}: Multiple Vulnerabilities (CVE-2013-{4995,4996,4997,4998,4999,5000,5001,5002,5003})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: a3li, axiator, kripton, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/54295/
See Also: https://bugs.gentoo.org/show_bug.cgi?id=479870
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 479870    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-07-29 21:03:41 UTC
From ${URL} :

Description

Multiple vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion and SQL injection attacks.

1) Input passed via the "User", "Host", "db", and "Command" parameters related to the Status Monitor view is not properly sanitised before being used. This can be exploited 
to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

2) Input passed via a link to an object is not properly sanitised before being used to display the contents of a table. This can be exploited to insert arbitrary HTML and 
script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

Successful exploitation requires that the link transformation plugin is used.

This vulnerability is reported in versions 4.0.x prior to 4.0.4.2.

3) Input passed via the "scale" POST parameter to pmd_pdf.php and via the "pdf_page_number" POST parameter to schema_export.php is not properly sanitised before being used 
in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code with the privileges of the control user.

The vulnerabilities #1 and #3 are reported in versions 3.5.x prior to 3.5.8.2 and 4.0.x prior to 4.0.4.2.


Solution:
Update to version 3.5.8.2 or 4.0.4.2.

Provided and/or discovered by:
The vendor credits:
1) Emanuel Bronshtein
2) Dieter Adriaenssens
3) Noam Rathaus

Original Advisory:
http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett gentoo-dev Security 2013-08-05 22:36:52 UTC
In light of bug 479870, I'd say ignore 3.5.8.2 and just go to 4.0.5.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-24 20:09:04 UTC
GLSA with 479870, 465420, 467080
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-08-24 20:17:28 UTC
CVE-2013-5003 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5003):
  Multiple SQL injection vulnerabilities in phpMyAdmin 3.5.x before 3.5.8.2
  and 4.0.x before 4.0.4.2 allow remote authenticated users to execute
  arbitrary SQL commands via (1) the scale parameter to pmd_pdf.php or (2) the
  pdf_page_number parameter to schema_export.php.

CVE-2013-5002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5002):
  Cross-site scripting (XSS) vulnerability in
  libraries/schema/Export_Relation_Schema.class.php in phpMyAdmin 3.5.x before
  3.5.8.2 and 4.0.x before 4.0.4.2 allows remote authenticated users to inject
  arbitrary web script or HTML via a crafted pageNumber value to
  schema_export.php.

CVE-2013-5001 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5001):
  Cross-site scripting (XSS) vulnerability in
  libraries/plugins/transformations/abstract/TextLinkTransformationsPlugin.class.php
  in phpMyAdmin 4.0.x before 4.0.4.2 allows remote authenticated users to
  inject arbitrary web script or HTML via a crafted object name associated
  with a TextLinkTransformationPlugin link.

CVE-2013-5000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5000):
  phpMyAdmin 3.5.x before 3.5.8.2 allows remote attackers to obtain sensitive
  information via an invalid request, which reveals the installation path in
  an error message, related to config.default.php and other files.

CVE-2013-4999 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4999):
  phpMyAdmin 4.0.x before 4.0.4.2 allows remote attackers to obtain sensitive
  information via an invalid request, which reveals the installation path in
  an error message, related to Error.class.php and Error_Handler.class.php.

CVE-2013-4998 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4998):
  phpMyAdmin 3.5.x before 3.5.8.2 and 4.0.x before 4.0.4.2 allows remote
  attackers to obtain sensitive information via an invalid request, which
  reveals the installation path in an error message, related to pmd_common.php
  and other files.

CVE-2013-4997 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4997):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x
  before 3.5.8.2 allow remote attackers to inject arbitrary web script or HTML
  via vectors involving a JavaScript event in (1) an anchor identifier to
  setup/index.php or (2) a chartTitle (aka chart title) value.

CVE-2013-4996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4996):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x
  before 3.5.8.2 and 4.0.x before 4.0.4.2 allow remote attackers to inject
  arbitrary web script or HTML via vectors involving (1) a crafted database
  name, (2) a crafted user name, (3) a crafted logo URL in the navigation
  panel, (4) a crafted entry in a certain proxy list, or (5) crafted content
  in a version.json file.

CVE-2013-4995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4995):
  Cross-site scripting (XSS) vulnerability in phpMyAdmin 3.5.x before 3.5.8.2
  and 4.0.x before 4.0.4.2 allows remote authenticated users to inject
  arbitrary web script or HTML via a crafted SQL query that is not properly
  handled during the display of row information.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-11-04 11:57:10 UTC
This issue was resolved and addressed in
 GLSA 201311-02 at http://security.gentoo.org/glsa/glsa-201311-02.xml
by GLSA coordinator Sergey Popov (pinkbyte).