Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding.

The remote host is affected by the vulnerability described in GLSA-201701-32 (phpMyAdmin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in phpMyAdmin. Please       review the CVE identifiers referenced below for details.
  Impact :

    A authenticated remote attacker could exploit these vulnerabilities to       execute arbitrary PHP Code, inject SQL code, or to conduct Cross-Site       Scripting attacks.
    In certain configurations, an unauthenticated remote attacker could       cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface.

  - CVE-2016-1927     The suggestPassword function relied on a non-secure     random number generator which makes it easier for remote     attackers to guess generated passwords via a brute-force     approach.

  - CVE-2016-2039     CSRF token values were generated by a non-secure random     number generator, which allows remote attackers to     bypass intended access restrictions by predicting a     value.

  - CVE-2016-2040     Multiple cross-site scripting (XSS) vulnerabilities     allow remote authenticated users to inject arbitrary web     script or HTML.

  - CVE-2016-2041     phpMyAdmin does not use a constant-time algorithm for     comparing CSRF tokens, which makes it easier for remote     attackers to bypass intended access restrictions by     measuring time differences.

  - CVE-2016-2560     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-2561     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5099     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5701     For installations running on plain HTTP, phpMyAdmin     allows remote attackers to conduct BBCode injection     attacks against HTTP sessions via a crafted URI.

  - CVE-2016-5705     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5706     phpMyAdmin allows remote attackers to cause a denial of     service (resource consumption) via a large array in the     scripts parameter.

  - CVE-2016-5731     A cross-site scripting (XSS) vulnerability allows remote     attackers to inject arbitrary web script or HTML.

  - CVE-2016-5733     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5739     A specially crafted Transformation could leak     information which a remote attacker could use to perform     cross site request forgeries.

This phpMyAdmin update to version 4.4.15.6 fixes the following issues :

Security issues fixed :

  - PMASA-2016-16 (CVE-2016-5099, CWE-661): Self XSS, see     https://www.phpmyadmin.net/security/PMASA-2016-16/

  - PMASA-2016-15 (CVE-2016-5098, CWE-661): File Traversal     Protection Bypass on Error Reporting, see     https://www.phpmyadmin.net/security/PMASA-2016-15/

  - PMASA-2016-14 (CVE-2016-5097, CWE-661): Sensitive Data     in URL GET Query Parameters, see     https://www.phpmyadmin.net/security/PMASA-2016-14/

phpMyAdmin was updated to fix one security issue.

The following vulnerability was fixed :

  - CVE-2016-5099: Self XSS vulneratbility - A specially     crafted attack could allow for special HTML characters     to be passed as URL encoded values and displayed back as     special characters in the page (boo#982128,     PMASA-2016-16)

The phpmyadmin development team reports : Description Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs. Severity We consider this to be non-critical. Description A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page. Severity We consider this to be non-critical.

ID	Name	Product	Family	Severity
96426	GLSA-201701-32 : phpMyAdmin: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
92527	Debian DSA-3627-1 : phpmyadmin - security update	Nessus	Debian Local Security Checks	high
91587	openSUSE Security Update : phpMyAdmin (openSUSE-2016-712)	Nessus	SuSE Local Security Checks	medium
91405	openSUSE Security Update : phpMyAdmin (openSUSE-2016-655)	Nessus	SuSE Local Security Checks	medium
91332	FreeBSD : phpmyadmin -- XSS and sensitive data leakage (00ec1be1-22bb-11e6-9ead-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2016-5099

medium

Tenable Plugins

critical

high

medium

medium

medium