Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 586964 (CVE-2016-5097, CVE-2016-5098, CVE-2016-5099, CVE-2016-5701, CVE-2016-5702, CVE-2016-5703, CVE-2016-5704, CVE-2016-5705, CVE-2016-5706, CVE-2016-5730, CVE-2016-5731, CVE-2016-5732, CVE-2016-5733, CVE-2016-5734, CVE-2016-5739)

Summary: <dev-db/phpmyadmin-{4.0.10.16,4.4.15.7,4.6.3}: multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: jmbsvicetto, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.phpmyadmin.net/news/2016/6/23/phpmyadmin-401016-44157-and-463-are-released/
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 593582    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-06-24 15:37:22 UTC
From ${URL} :

The phpMyAdmin project announces the release of phpMyAdmin versions 4.0.10.16, 4.4.15.7, and 4.6.3. All versions feature many security fixes that are announced as PMASA-2016-17 through PMASA-2016-28 which are posted at https://www.phpmyadmin.net/security/.

Furthermore, version 4.6.3 includes the regularly scheduled maintenance improvements and bug fixes. In addition to bugs affecting particular version combinations, some of the other bugs fixed include:

Fixing cookie path on Windows
Fix MySQL SSL connections with some PHP versions
Fix listing of routines for non-privileged user
As well as several more. Complete details are available in the ChangeLog.




@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 08:02:32 UTC
CVE-2016-5739 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5739):
  The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16,
  4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer
  Content Security Policy (CSP) protection mechanism, which makes it easier
  for remote attackers to conduct CSRF attacks by reading an authentication
  token in a Referer header, related to libraries/Header.php.

CVE-2016-5734 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5734):
  phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before
  4.6.3 does not properly choose delimiters to prevent use of the preg_replace
  e (aka eval) modifier, which might allow remote attackers to execute
  arbitrary PHP code via a crafted string, as demonstrated by the table
  search-and-replace implementation.

CVE-2016-5733 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5733):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
  before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote
  attackers to inject arbitrary web script or HTML via vectors involving (1) a
  crafted table name that is mishandled during privilege checking in
  table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled
  in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error
  handling in js/ajax.js, (5) the Designer implementation, (6) the charts
  implementation in js/tbl_chart.js, or (7) the zoom-search implementation in
  rows_zoom.phtml.

CVE-2016-5732 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5732):
  Multiple cross-site scripting (XSS) vulnerabilities in the partition-range
  implementation in templates/table/structure/display_partitions.phtml in the
  table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers
  to inject arbitrary web script or HTML via crafted table parameters.

CVE-2016-5731 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5731):
  Cross-site scripting (XSS) vulnerability in examples/openid.php in
  phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before
  4.6.3 allows remote attackers to inject arbitrary web script or HTML via
  vectors involving an OpenID error message.

CVE-2016-5730 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5730):
  phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before
  4.6.3 allows remote attackers to obtain sensitive information via vectors
  involving (1) an array value to FormDisplay.php, (2) incorrect data to
  validate.php, (3) unexpected data to Validator.php, (4) a missing config
  directory during setup, or (5) an incorrect OpenID identifier data type,
  which reveals the full path in an error message.

CVE-2016-5706 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5706):
  js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before
  4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial
  of service via a large array in the scripts parameter.

CVE-2016-5705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5705):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x
  before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject
  arbitrary web script or HTML via vectors involving (1) server-privileges
  certificate data fields on the user privileges page, (2) an "invalid JSON"
  error message in the error console, (3) a database name in the central
  columns implementation, (4) a group name, or (5) a search name in the
  bookmarks implementation.

CVE-2016-5704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5704):
  Cross-site scripting (XSS) vulnerability in the table-structure page in
  phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary
  web script or HTML via vectors involving a comment.

CVE-2016-5703 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5703):
  SQL injection vulnerability in libraries/central_columns.lib.php in
  phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote
  attackers to execute arbitrary SQL commands via a crafted database name that
  is mishandled in a central column query.

CVE-2016-5702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5702):
  phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value,
  allows remote attackers to conduct cookie-attribute injection attacks via a
  crafted URI.

CVE-2016-5701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5701):
  setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x
  before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct
  BBCode injection attacks against HTTP sessions via a crafted URI.

CVE-2016-5099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5099):
  Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6
  and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web
  script or HTML via special characters that are mishandled during double URL
  decoding.

CVE-2016-5098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5098):
  Directory traversal vulnerability in libraries/error_report.lib.php in
  phpMyAdmin before 4.6.2-prerelease allows remote attackers to determine the
  existence of arbitrary files by triggering an error.

CVE-2016-5097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5097):
  phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange
  for them to be stripped before external navigation, which allows remote
  attackers to obtain sensitive information by reading (1) HTTP requests or
  (2) server logs.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 14:45:11 UTC
Added to existing GLSA.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-01-11 13:13:19 UTC
This issue was resolved and addressed in
 GLSA 201701-32 at https://security.gentoo.org/glsa/201701-32
by GLSA coordinator Aaron Bauman (b-man).