phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.6.x prior to 4.6.3. It is, therefore, affected by the following vulnerabilities:

  - A flaw exists in the setup/frames/index.inc.php script     that allows an unauthenticated, remote attacker to access     the program on a non-HTTPS connection and thereby inject     arbitrary BBCode against HTTP sessions. (CVE-2016-5701)

  - An unspecified flaw exists, whenever the environment     lacks a PHP_SELF value, that allows an unauthenticated,     remote attacker to inject arbitrary attributes into     browser cookies by using a specially crafted URI.
    (CVE-2016-5702)

  - A flaw exists in the libraries/central_columns.lib.php     script when handling database names due to improper     sanitization of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a crafted database     name, to inject or manipulate SQL queries in the     back-end database, resulting in modification or     disclosure of arbitrary data. (CVE-2016-5703)

  - A cross-site scripting (XSS) vulnerability exists in the     templates/table/structure/display_table_stats.phtml     script when handling table comments due to improper     validation of input before returning it to users. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2016-5704)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     a user's browser session. (CVE-2016-5705)

  - A flaw exists in the js/get_scripts.js.php script when     handling a large array in the 'scripts' parameter during     the loading of a crafted JavaScript file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-5706)

  - A information disclosure vulnerability exists in the     Example OpenID Authentication and Setup scripts that     allows an remote attacker, via multiple vectors, to     disclose the application's installation path in an     error message. (CVE-2016-5730)

  - A reflected cross-site scripting (XSS) vulnerability     exists in the examples/openid.php script when handling     OpenID error messages due to improper validation of     input before returning it to users. An unauthenticated,     remote attacker can exploit this, via a specially     crafted request, to execute arbitrary script code in a     user's browser session. (CVE-2016-5731)

  - A cross-site scripting (XSS) vulnerability exists in the     templates/table/structure/display_partitions.phtml     script when handling table parameters due to improper     validation of input before returning it to users. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2016-5732)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     user's browser session. (CVE-2016-5733)

  - A flaw exists in the table search and replace feature     due to improper sanitization of parameters before     passing them to the preg_replace() function. An     unauthenticated, remote attacker can exploit this, via     a specially crafted string, to execute arbitrary PHP     code. (CVE-2016-5734)

  - An information disclosure vulnerability exists in the     libraries/Header.class.php script when handling     transformations due to a failure to use the 'no-referer'     Content Security Policy (CSP) protection mechanism. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Transformation, to disclose sensitive     authentication token information, which then can be     potentially used to facilitate cross-site request     forgery (XSRF) attacks. (CVE-2016-5739)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.4.x prior to 4.4.15.7. It is, therefore, affected by the following vulnerabilities:

  - A flaw exists in the setup/frames/index.inc.php script     that allows an unauthenticated, remote attacker to access     the program on a non-HTTPS connection and thereby inject     arbitrary BBCode against HTTP sessions. (CVE-2016-5701)

  - A flaw exists in the libraries/central_columns.lib.php     script when handling database names due to improper     sanitization of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a crafted database     name, to inject or manipulate SQL queries in the     back-end database, resulting in modification or     disclosure of arbitrary data. (CVE-2016-5703)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     a user's browser session. (CVE-2016-5705)

  - A flaw exists in the js/get_scripts.js.php script when     handling a large array in the 'scripts' parameter during     the loading of a crafted JavaScript file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-5706)

  - A information disclosure vulnerability exists in the     Example OpenID Authentication and Setup scripts that     allows an remote attacker, via multiple vectors, to     disclose the application's installation path in an     error message. (CVE-2016-5730)

  - A reflected cross-site scripting (XSS) vulnerability     exists in the examples/openid.php script when handling     OpenID error messages due to improper validation of     input before returning it to users. An unauthenticated,     remote attacker can exploit this, via a specially     crafted request, to execute arbitrary script code in a     user's browser session. (CVE-2016-5731)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     user's browser session. (CVE-2016-5733)

  - A flaw exists in the table search and replace feature     due to improper sanitization of parameters before     passing them to the preg_replace() function. An     unauthenticated, remote attacker can exploit this, via     a specially crafted string, to execute arbitrary PHP     code. (CVE-2016-5734)

  - An information disclosure vulnerability exists in the     libraries/Header.class.php script when handling     transformations due to a failure to use the 'no-referer'     Content Security Policy (CSP) protection mechanism. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Transformation, to disclose sensitive     authentication token information, which then can be     potentially used to facilitate cross-site request     forgery (XSRF) attacks. (CVE-2016-5739)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.16. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the setup/frames/index.inc.php script     that allows an unauthenticated, remote attacker to access     the program on a non-HTTPS connection and thereby inject     arbitrary BBCode against HTTP sessions. (CVE-2016-5701)

  - A flaw exists in the js/get_scripts.js.php script when     handling a large array in the 'scripts' parameter during     the loading of a crafted JavaScript file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-5706)

  - A information disclosure vulnerability exists in the     Example OpenID Authentication and Setup scripts that     allows an remote attacker, via multiple vectors, to     disclose the application's installation path in an     error message. (CVE-2016-5730)

  - A reflected cross-site scripting (XSS) vulnerability     exists in the examples/openid.php script when handling     OpenID error messages due to improper validation of     input before returning it to users. An unauthenticated,     remote attacker can exploit this, via a specially     crafted request, to execute arbitrary script code in a     user's browser session. (CVE-2016-5731)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     user's browser session. (CVE-2016-5733)

  - A flaw exists in the table search and replace feature     due to improper sanitization of parameters before     passing them to the preg_replace() function. An     unauthenticated, remote attacker can exploit this, via     a specially crafted string, to execute arbitrary PHP     code. (CVE-2016-5734)

  - An information disclosure vulnerability exists in the     libraries/Header.class.php script when handling     transformations due to a failure to use the 'no-referer'     Content Security Policy (CSP) protection mechanism. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Transformation, to disclose sensitive     authentication token information, which then can be     potentially used to facilitate cross-site request     forgery (XSRF) attacks. (CVE-2016-5739)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201701-32 (phpMyAdmin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in phpMyAdmin. Please       review the CVE identifiers referenced below for details.
  Impact :

    A authenticated remote attacker could exploit these vulnerabilities to       execute arbitrary PHP Code, inject SQL code, or to conduct Cross-Site       Scripting attacks.
    In certain configurations, an unauthenticated remote attacker could       cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Versions of phpMyAdmin 4.0.10.x prior to 4.0.10.16, 4.4.15.x prior to 4.4.15.7, and 4.6.x prior to 4.6.3 are unpatched, and therefore affected by the following vulnerabilities :

 - A flaw exists in the 'libraries/Header.class.php' script that is triggered during the handling of transformations.  This may allow a context-dependent attacker to gain access to authentication token information, which can facilitate CSRF attacks.
 - A flaw within the table search and replace feature is triggered by the unsafe passing of parameters to the 'preg_replace()' function.  This may allow an authenticated remote attacker to potentially execute arbitrary code.
 - A flaw exists that allows a reflected cross-site scripting (XSS) attack.  This flaw exists because the 'examples/openid.php' script does not validate input when handling error messages before returning it to users.  This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw in Example OpenID Authentication and Setup scripts may allow a remote attacker to disclose the software's installation path.  While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
 - A flaw in the 'js/get_scripts.js.php' script is triggered during the handling of the 'scripts' parameter when loading a crafted JavaScript file.  This may allow a remote attacker to cause a denial of service.
 - A flaw within the 'setup/frames/index.inc.php' script may allow an authenticated remote attacker to access the program on a non-HTTPS connection and inject arbitrary 'BBCode'.
 - A flaw exists that allows a cross-site scripting (XSS) attack.  This flaw exists because the 'libraries/build_html_for_db.lib.php' script does not validate input to translated strings before returning it to users.  This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows an XSS attack.  This flaw exists because the program does not validate input to binary log names before returning it to users.  This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows an XSS attack.  This flaw exists because multiple transformation plugins do not validate input before returning it to users.  This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows a reflected XSS attack.  This flaw exists because the 'js/ajax.js' script does not validate input when rendering AJAX errors before returning it to users.  This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows an XSS attack.  This flaw exists because the 'js/get_image.js.php' script does not validate input to image display attributes before returning it to users.  This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows an XSS attack.  This flaw exists because the 'TextLinkTransformationsPlugin.class.php' script improperly allows JavaScript links that are not sanitized before being returned to users.  This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists 
 - A flaw exists that allows an XSS attack.  This flaw exists because the 'js/tbl_chart.js' script does not validate input to chart columns before returning it to users.  This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 - A flaw exists that allows an XSS attack.  This flaw exists because the 'libraries/TableSearch.class.php' script does not validate input to the 'criteriaColumnTypes' POST parameter before returning it to users.  This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.  Note that in the 4.6.x branch, the vulnerable script name is templates/table/search/rows_zoom.phtml.

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
99663	phpMyAdmin 4.6.x < 4.6.3 Multiple Vulnerabilities (PMASA-2016-17 - PMASA-2016-28)	Nessus	CGI abuses	critical
99662	phpMyAdmin 4.4.x < 4.4.15.7 Multiple Vulnerabilities (PMASA-2016-17, PMASA-2016-19, PMASA-2016-21 - PMASA-2016-24, PMASA-2016-26 - PMASA-2016-28)	Nessus	CGI abuses	critical
99661	phpMyAdmin 4.0.x < 4.0.10.16 Multiple Vulnerabilities (PMASA-2016-17, PMASA-2016-22 - PMASA-2016-24, PMASA-2016-26 - PMASA-2016-28)	Nessus	CGI abuses	critical
96426	GLSA-201701-32 : phpMyAdmin: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
9400	phpMyAdmin 4.0.10.x < 4.0.10.16 / 4.4.15.x < 4.4.15.7 / 4.6.x < 4.6.3 Multiple Vulnerabilities	Nessus Network Monitor	CGI	high
91939	FreeBSD : phpMyAdmin -- multiple vulnerabilities (e7028e1d-3f9b-11e6-81f9-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2016-5734

critical

Tenable Plugins

critical

critical

critical

critical

high

critical