Bug 19841 - phpmyadmin new security issues fixed upstream in 4.4.15.9
Summary: phpmyadmin new security issues fixed upstream in 4.4.15.9
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/708148/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-11-25 18:33 CET by David Walser
Modified: 2016-12-09 18:04 CET (History)
4 users (show)

See Also:
Source RPM: phpmyadmin-4.4.15.8-1.mga5.src.rpm
CVE:
Status comment:


Attachments

David Walser 2016-11-25 18:33:24 CET

Whiteboard: (none) => has_procedure

Comment 1 Herman Viaene 2016-11-30 14:45:41 CET
MGA-32 on AcerD620 Xfce
Installed version 4.4.15.9, no installation issues
Created new table in existing test database
Deleted all tables in this database.
Deleted test user and database., all OK

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

David Walser 2016-12-05 20:22:32 CET

URL: (none) => https://lwn.net/Vulnerabilities/708148/
Severity: normal => major

Comment 2 Lewis Smith 2016-12-07 10:52:53 CET
Testing MGA5 64-bit real h/w

Updated from Updates_Testing to:
 phpmyadmin-4.4.15.9-1.mga5
accepting rpmnew as the new config file.

Logged in as root, created a user with D/B of same name, all privilages (which I could not get to login having left '%' as the machine domain; but changeing that [which actually created a second user of the same name] to 'localhost', it logged in OK). Created a table of different column types, populated a row, deleted the table, logout. As root deleted the user(s).
Looked briefly at a different user's tables.

This looks OK. Validating to get it off the main list, but the Advisory awaits.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Comment 3 David Walser 2016-12-08 20:08:20 CET
Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

In phpMyAdmin before 4.4.15.9, when the user does not specify a
blowfish_secret key for encrypting cookies, phpMyAdmin generates one at
runtime. A vulnerability was reported where the way this value is created
using a weak algorithm. This could allow an attacker to determine the user's
blowfish_secret and potentially decrypt their cookies (CVE-2016-9847).

In phpMyAdmin before 4.4.15.9, phpinfo.php shows PHP information including
values of sensitive HttpOnly cookies (CVE-2016-9848).

In phpMyAdmin before 4.4.15.9, it is possible to bypass AllowRoot restriction
($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null
Byte in the username (CVE-2016-9849).

In phpMyAdmin before 4.4.15.9, a vulnerability in username matching for the
allow/deny rules may result in wrong matches and detection of the username in
the rule due to non-constant execution time (CVE-2016-9850).

In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is
possible to bypass the logout timeout (CVE-2016-9851).

In phpMyAdmin before 4.4.15.9, by calling some scripts that are part of
phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to
display a PHP error message which contains the full path of the directory
where phpMyAdmin is installed. During an execution timeout in the export
functionality, the errors containing the full path of the directory of
phpMyAdmin is written to the export file (CVE-2016-9852, CVE-2016-9853,
CVE-2016-9854, CVE-2016-9855).

In phpMyAdmin before 4.4.15.9, several XSS vulnerabilities have been reported,
including an improper fix for PMASA-2016-10 and a weakness in a regular
expression using in some JavaScript processing (CVE-2016-9856, CVE-2016-9857).

In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is
possible to initiate a denial of service attack in saved searches feature
(CVE-2016-9858).

In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is
possible to initiate a denial of service attack in import feature
(CVE-2016-9859).

In phpMyAdmin before 4.4.15.9, an unauthenticated user can execute a denial of
service attack when phpMyAdmin is running with
$cfg['AllowArbitraryServer']=true; (CVE-2016-9860).

In phpMyAdmin before 4.4.15.9, due to the limitation in URL matching, it was
possible to bypass the URL white-list protection (CVE-2016-9861).

In phpMyAdmin before 4.4.15.9, with a crafted username or a table name, it was
possible to inject SQL statements in the tracking functionality that would run
with the privileges of the control user. This gives read and write access to
the tables of the configuration storage database, and if the control user has
the necessary privileges, read access to some tables of the mysql database
(CVE-2016-9864).

In phpMyAdmin before 4.4.15.9, due to a bug in serialized string parsing, it
was possible to bypass the protection offered by PMA_safeUnserialize()
function (CVE-2016-9865).

In phpMyAdmin before 4.4.15.9, when the arg_separator is different from its
default value of &, the token was not properly stripped from the return URL of
the preference import action (CVE-2016-9866).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9849
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9851
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9853
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9854
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9856
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9858
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9859
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9866
https://www.phpmyadmin.net/security/PMASA-2016-58/
https://www.phpmyadmin.net/security/PMASA-2016-59/
https://www.phpmyadmin.net/security/PMASA-2016-60/
https://www.phpmyadmin.net/security/PMASA-2016-61/
https://www.phpmyadmin.net/security/PMASA-2016-62/
https://www.phpmyadmin.net/security/PMASA-2016-63/
https://www.phpmyadmin.net/security/PMASA-2016-64/
https://www.phpmyadmin.net/security/PMASA-2016-65/
https://www.phpmyadmin.net/security/PMASA-2016-66/
https://www.phpmyadmin.net/security/PMASA-2016-69/
https://www.phpmyadmin.net/security/PMASA-2016-70/
https://www.phpmyadmin.net/security/PMASA-2016-71/
https://www.phpmyadmin.net/files/4.4.15.9/
https://www.phpmyadmin.net/news/2016/11/25/phpmyadmin-401018-44159-and-465-are-released/
Dave Hodgins 2016-12-08 22:30:11 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 4 Mageia Robot 2016-12-09 09:43:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0416.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-12-09 17:37:05 CET

URL: https://lwn.net/Vulnerabilities/708148/ => https://lwn.net/Vulnerabilities/708658/

David Walser 2016-12-09 18:04:49 CET

URL: https://lwn.net/Vulnerabilities/708658/ => https://lwn.net/Vulnerabilities/708148/


Note You need to log in before you can comment on or make changes to this bug.