Comment 1 Thomas Deutschmann (RETIRED) 2018-12-11 17:56:09 UTC

PMASA-2018-6
Announcement-ID: PMASA-2018-6

Date: 2018-12-07

Summary
Local file inclusion through transformation feature

Description
A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.

Severity
We consider this vulnerability to be severe.

Affected Versions
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected

Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.

References
This vulnerability was reported by Daniel Le Gall from SCRT

Assigned CVE ids: CVE-2018-19968

CWE ids: CWE-661 CWE-98

Patches
The following commits have been made on the 4.8 branch to fix this issue:

6a1ba61e29002f0305a9322a8af4eaaeb11c0732

Source: https://www.phpmyadmin.net/security/PMASA-2018-6/


PMASA-2018-7
Announcement-ID: PMASA-2018-7

Date: 2018-12-07

Summary
XSRF/CSRF vulnerability in phpMyAdmin

Description
By deceiving a user to click on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.

Severity
We consider this vulnerability to be of moderate severity.

Affected Versions
phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 are affected.

Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.

References
Thanks to Daniel Le Gall from SCRT, Mustafa Hasan (@strukt93), SI9INT and Prasetia Ari for reporting this vulnerability.

Assigned CVE ids: CVE-2018-19969

CWE ids: CWE-661 CWE-352

Patches
The following commits have been made on the 4.8 branch to fix this issue:

f049c127ca21885ab0856a8c562ed1c74961bb5d
be0660e4c46a1f3f74d86bac41419d5804201502
77ea7024bfa75659dea20dacb225f0d48414fd02
ad7f7fd80192bd9f7f22f4d8d9a8818dd69f3e0c
5d781422fb9f0af54e9cf9c85371b4d8c02ac56d
d6e04ca09b205cbc1e00f26da9d1f3690287a4af
d9279982a9c24456c061ecc700f69610424e854e
3ac68d2edaafea38c3c45e364933456540603c09
98ef759676cfc60db56aff657d5f66f818780872
faced0a344a3e3c2cfe645d400fcddc54dcc7f4e
d0eede7c566d97f92b5fda1560fa07b583ffc0a4
42561e689613e6712920bada4e2f957a96252f97
ca06ecc87681e7d547271fdbd06816a2bee9be80
3d9ed655cc6107bd0e8e6d5f5a5f58d0fc791564
b72e55acf82a67fcb9d8eb341878f8e9fc7af295
9219b28f474f032621b3cc827d12407673e47b08
6c03ebad38a64ac1c53f9bae9e9c2d5e0d556bfd
7d3f203131231d09a7485c38355f5cb546cbf897
2a749337bf9e1319f5d0bc62aae3f79f8f9080d0
35d87e607227c4ea0d1613ad39c5bca75b726fca
80eaee9c0a1fadc4c7f7ab3838b3fe5eb15a7830
259cbc6ab1d61afb3a657ad4a787eefe8278ec29
c1cdaac2f465dd6b9e17f9f35fd46861ad703a6d
1edf1aced6ad963c9f282666150f7f36f1ca449e
bf3e6c3a77ff5d1fc2a15bba7f0a66e7fcb357e6
827e4dcf2ce738d7b320682e97e29ad448f9147f
b4e1862740b3412aab2f7079649a705f317cb1b0
5109c1787e111a87521db94c93d4cb2c46cc29f4
88e162b651dfbd64c98ac40976023c4b7d1438bb
e7e7d56c759366c61824b67f48ec0ba4d5507105
593b2571cd8ba5110cd39fee896ea172ca2c81d5
737ac997f9271d15f08b20893c9174a312027b74
0fe1a3bea88a553407930f83380b88d7591d2bdd
79548c0dcfc185f7c31a0c527d952a2b14266ddf
89db84213ba1b2b38387632c884c6fe64166f512
30543ad81f5151d592e39e3075dd32a7487d8d9e
0be9a53fcfd4131c8737f717371570402b292361
d01ece698a18624ede4bccffd81035da7c27b9a0
d1d90b59b28ab8be332e442df55864cb858e40dd
a98207c6de3bde433602273d1cccc7f2f99d7501
eb13c69f0db2b1158d4b36deef7544fa1a932505
79fd80cef5da7f67eed01825b4d4b957d03acffd
01e8064e3530a05d8d2975ad29fdd519a952e0ec
34972f0132c6e04fc324ad422f2fc609df7a22ec
6fd9bfb75b357e375c8992a8c9194411954a8427
c36592b4e8dfe6e5b2e7c9197c32abdf155df350
d745d1ce019bf1aa60f19e8ac993389adb81e3a9
d98b40281b0e8781918240b201b35758b474e595
e7f1e2697acace0d05356a943174cefeae1cf11e

Source: https://www.phpmyadmin.net/security/PMASA-2018-7/


PMASA-2018-8
Announcement-ID: PMASA-2018-8

Date: 2018-12-07

Summary
XSS vulnerability in navigation tree

Description
A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name.

Severity
We consider this attack to be of moderate severity.

Mitigation factor
The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms.

Affected Versions
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected

Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.

References
Thanks to YU-HSIANG HUANG (huang.yuhsiang.phone@gmail.com), YUNG-HAO TSENG, and Eddie TC CHANG for reporting this vulnerability.

Assigned CVE ids: CVE-2018-19970

CWE ids: CWE-661 CWE-79

Patches
The following commits have been made on the 4.8 branch to fix this issue:

b293ff5f234ef493336ed8638f623a12164d359e

Source: https://www.phpmyadmin.net/security/PMASA-2018-8/

Comment 2 Aaron Bauman (RETIRED) 2019-03-30 00:22:53 UTC

@arches, please stabilize.

Comment 3 Agostino Sarubbo 2019-03-30 10:47:11 UTC

amd64 stable

Comment 4 Thomas Deutschmann (RETIRED) 2019-04-02 01:39:49 UTC

x86 stable

Comment 5 Rolf Eike Beer 2019-04-02 18:40:37 UTC

sparc stable

Comment 6 Mikle Kolyada (RETIRED) 2019-04-08 06:39:43 UTC

alpha stable

Comment 7 GLSAMaker/CVETool Bot 2019-04-15 20:54:32 UTC

This issue was resolved and addressed in
 GLSA 201904-16 at https://security.gentoo.org/glsa/201904-16
by GLSA coordinator Aaron Bauman (b-man).

Comment 8 Aaron Bauman (RETIRED) 2019-04-15 20:57:10 UTC

re-opened for final arches and cleanup.

Comment 9 ernsteiswuerfel 2019-05-29 10:26:57 UTC

Looking good on ppc64.

# cat phpmyadmin-672938.report 
USE tests started on Mi 29. Mai 04:38:47 CEST 2019

FEATURES=' test' USE='' succeeded for =dev-db/phpmyadmin-4.8.5
USE='-setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
USE='setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
USE='-setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
USE='setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5

Comment 10 ernsteiswuerfel 2019-05-29 16:07:57 UTC

Looking good on ppc.

# cat phpmyadmin-672938.report 
USE tests started on Mi 29. Mai 15:05:41 CEST 2019

FEATURES=' test' USE='' succeeded for =dev-db/phpmyadmin-4.8.5
USE='-setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
USE='setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
USE='-setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
USE='setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5

Comment 11 Agostino Sarubbo 2019-06-04 10:59:30 UTC

ppc64 stable

Comment 12 Agostino Sarubbo 2019-06-04 20:57:53 UTC

ppc stable.

Maintainer(s), please cleanup.

Comment 13 Miroslav Šulc 2019-11-08 08:42:28 UTC

afaics the oldest is currently 4.8.5 so tree does not contain any affected version.

Comment 14 Thomas Deutschmann (RETIRED) 2020-03-19 16:06:06 UTC

Added to an existing GLSA.

Comment 15 Thomas Deutschmann (RETIRED) 2020-03-19 16:10:26 UTC

Forget previous comment, GLSA for this vulnerability was already released, see comment #7.

Repository is clean, all done.