The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.6.x prior to 4.6.3. It is, therefore, affected by the following vulnerabilities:

  - A flaw exists in the setup/frames/index.inc.php script     that allows an unauthenticated, remote attacker to access     the program on a non-HTTPS connection and thereby inject     arbitrary BBCode against HTTP sessions. (CVE-2016-5701)

  - An unspecified flaw exists, whenever the environment     lacks a PHP_SELF value, that allows an unauthenticated,     remote attacker to inject arbitrary attributes into     browser cookies by using a specially crafted URI.
    (CVE-2016-5702)

  - A flaw exists in the libraries/central_columns.lib.php     script when handling database names due to improper     sanitization of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a crafted database     name, to inject or manipulate SQL queries in the     back-end database, resulting in modification or     disclosure of arbitrary data. (CVE-2016-5703)

  - A cross-site scripting (XSS) vulnerability exists in the     templates/table/structure/display_table_stats.phtml     script when handling table comments due to improper     validation of input before returning it to users. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2016-5704)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     a user's browser session. (CVE-2016-5705)

  - A flaw exists in the js/get_scripts.js.php script when     handling a large array in the 'scripts' parameter during     the loading of a crafted JavaScript file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-5706)

  - A information disclosure vulnerability exists in the     Example OpenID Authentication and Setup scripts that     allows an remote attacker, via multiple vectors, to     disclose the application's installation path in an     error message. (CVE-2016-5730)

  - A reflected cross-site scripting (XSS) vulnerability     exists in the examples/openid.php script when handling     OpenID error messages due to improper validation of     input before returning it to users. An unauthenticated,     remote attacker can exploit this, via a specially     crafted request, to execute arbitrary script code in a     user's browser session. (CVE-2016-5731)

  - A cross-site scripting (XSS) vulnerability exists in the     templates/table/structure/display_partitions.phtml     script when handling table parameters due to improper     validation of input before returning it to users. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2016-5732)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     user's browser session. (CVE-2016-5733)

  - A flaw exists in the table search and replace feature     due to improper sanitization of parameters before     passing them to the preg_replace() function. An     unauthenticated, remote attacker can exploit this, via     a specially crafted string, to execute arbitrary PHP     code. (CVE-2016-5734)

  - An information disclosure vulnerability exists in the     libraries/Header.class.php script when handling     transformations due to a failure to use the 'no-referer'     Content Security Policy (CSP) protection mechanism. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Transformation, to disclose sensitive     authentication token information, which then can be     potentially used to facilitate cross-site request     forgery (XSRF) attacks. (CVE-2016-5739)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.4.x prior to 4.4.15.7. It is, therefore, affected by the following vulnerabilities:

  - A flaw exists in the setup/frames/index.inc.php script     that allows an unauthenticated, remote attacker to access     the program on a non-HTTPS connection and thereby inject     arbitrary BBCode against HTTP sessions. (CVE-2016-5701)

  - A flaw exists in the libraries/central_columns.lib.php     script when handling database names due to improper     sanitization of user-supplied input. An unauthenticated,     remote attacker can exploit this, via a crafted database     name, to inject or manipulate SQL queries in the     back-end database, resulting in modification or     disclosure of arbitrary data. (CVE-2016-5703)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     a user's browser session. (CVE-2016-5705)

  - A flaw exists in the js/get_scripts.js.php script when     handling a large array in the 'scripts' parameter during     the loading of a crafted JavaScript file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-5706)

  - A information disclosure vulnerability exists in the     Example OpenID Authentication and Setup scripts that     allows an remote attacker, via multiple vectors, to     disclose the application's installation path in an     error message. (CVE-2016-5730)

  - A reflected cross-site scripting (XSS) vulnerability     exists in the examples/openid.php script when handling     OpenID error messages due to improper validation of     input before returning it to users. An unauthenticated,     remote attacker can exploit this, via a specially     crafted request, to execute arbitrary script code in a     user's browser session. (CVE-2016-5731)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     user's browser session. (CVE-2016-5733)

  - A flaw exists in the table search and replace feature     due to improper sanitization of parameters before     passing them to the preg_replace() function. An     unauthenticated, remote attacker can exploit this, via     a specially crafted string, to execute arbitrary PHP     code. (CVE-2016-5734)

  - An information disclosure vulnerability exists in the     libraries/Header.class.php script when handling     transformations due to a failure to use the 'no-referer'     Content Security Policy (CSP) protection mechanism. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Transformation, to disclose sensitive     authentication token information, which then can be     potentially used to facilitate cross-site request     forgery (XSRF) attacks. (CVE-2016-5739)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.16. It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the setup/frames/index.inc.php script     that allows an unauthenticated, remote attacker to access     the program on a non-HTTPS connection and thereby inject     arbitrary BBCode against HTTP sessions. (CVE-2016-5701)

  - A flaw exists in the js/get_scripts.js.php script when     handling a large array in the 'scripts' parameter during     the loading of a crafted JavaScript file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-5706)

  - A information disclosure vulnerability exists in the     Example OpenID Authentication and Setup scripts that     allows an remote attacker, via multiple vectors, to     disclose the application's installation path in an     error message. (CVE-2016-5730)

  - A reflected cross-site scripting (XSS) vulnerability     exists in the examples/openid.php script when handling     OpenID error messages due to improper validation of     input before returning it to users. An unauthenticated,     remote attacker can exploit this, via a specially     crafted request, to execute arbitrary script code in a     user's browser session. (CVE-2016-5731)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist due to improper validation of user-supplied input     before returning it to users. An unauthenticated, remote     attacker can exploit these, via specially crafted     requests, to execute arbitrary script code or HTML in a     user's browser session. (CVE-2016-5733)

  - A flaw exists in the table search and replace feature     due to improper sanitization of parameters before     passing them to the preg_replace() function. An     unauthenticated, remote attacker can exploit this, via     a specially crafted string, to execute arbitrary PHP     code. (CVE-2016-5734)

  - An information disclosure vulnerability exists in the     libraries/Header.class.php script when handling     transformations due to a failure to use the 'no-referer'     Content Security Policy (CSP) protection mechanism. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Transformation, to disclose sensitive     authentication token information, which then can be     potentially used to facilitate cross-site request     forgery (XSRF) attacks. (CVE-2016-5739)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201701-32 (phpMyAdmin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in phpMyAdmin. Please       review the CVE identifiers referenced below for details.
  Impact :

    A authenticated remote attacker could exploit these vulnerabilities to       execute arbitrary PHP Code, inject SQL code, or to conduct Cross-Site       Scripting attacks.
    In certain configurations, an unauthenticated remote attacker could       cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface.

  - CVE-2016-1927     The suggestPassword function relied on a non-secure     random number generator which makes it easier for remote     attackers to guess generated passwords via a brute-force     approach.

  - CVE-2016-2039     CSRF token values were generated by a non-secure random     number generator, which allows remote attackers to     bypass intended access restrictions by predicting a     value.

  - CVE-2016-2040     Multiple cross-site scripting (XSS) vulnerabilities     allow remote authenticated users to inject arbitrary web     script or HTML.

  - CVE-2016-2041     phpMyAdmin does not use a constant-time algorithm for     comparing CSRF tokens, which makes it easier for remote     attackers to bypass intended access restrictions by     measuring time differences.

  - CVE-2016-2560     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-2561     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5099     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5701     For installations running on plain HTTP, phpMyAdmin     allows remote attackers to conduct BBCode injection     attacks against HTTP sessions via a crafted URI.

  - CVE-2016-5705     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5706     phpMyAdmin allows remote attackers to cause a denial of     service (resource consumption) via a large array in the     scripts parameter.

  - CVE-2016-5731     A cross-site scripting (XSS) vulnerability allows remote     attackers to inject arbitrary web script or HTML.

  - CVE-2016-5733     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5739     A specially crafted Transformation could leak     information which a remote attacker could use to perform     cross site request forgeries.

Phpmyadmin, a web administration tool for MySQL, had several Cross Site Scripting (XSS) vulnerabilities were reported.

CVE-2016-5731

With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script.

CVE-2016-5733

Several XSS vulnerabilities were found with the Transformation feature. Also a vulnerability was reported allowing a specifically- configured MySQL server to execute an XSS attack. This particular attack requires configuring the MySQL server log_bin directive with the payload.

CVE-2016-5739

A vulnerability was reported where a specially crafted Transformation could be used to leak information including the authentication token.
This could be used to direct a CSRF attack against a user.

For Debian 7 'Wheezy', these problems have been fixed in version 4:3.4.11.1-2+deb7u5.

We recommend that you upgrade your phpmyadmin packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Please reference CVE/URL list for details

This phpMyAdmin update to version 4.4.15.7 fixes the following issues :

Issues fixed: Setup script doesn't use input type 'password' in all relevant locations

Security issues fixed :

  - PMASA-2016-17 (CVE-2016-5701, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-17/

  - BBCode injection vulnerability

  - PMASA-2016-19 (CVE-2016-5703, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-19/

  - SQL injection attack

  - PMASA-2016-21 (CVE-2016-5705, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-21/

  - Multiple XSS vulnerabilities

  - PMASA-2016-22 (CVE-2016-5706, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-22/

  - DOS attack

  - PMASA-2016-23 (CVE-2016-5730, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-23/

  - Multiple full path disclosure vulnerabilities

  - PMASA-2016-24 (CVE-2016-5731, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-24/

  - XSS through FPD

  - PMASA-2016-26 (CVE-2016-5733, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-26/

  - Multiple XSS vulnerabilities

  - PMASA-2016-28 (CVE-2016-5739, CWE-661)     https://www.phpmyadmin.net/security/PMASA-2016-28/

  - Referrer leak in transformations

phpMyAdmin was updated to version 4.4.15.7 to fix eight security issues.

These security issues were fixed :

  - CVE-2016-5701: BBCode injection vulnerability     (boo#986154)

  - CVE-2016-5703: SQL injection attack (boo#986154)

  - CVE-2016-5705: Multiple XSS vulnerabilities (boo#986154)

  - CVE-2016-5706: DOS attack (boo#986154)

  - CVE-2016-5730: Multiple full path disclosure     vulnerabilities (boo#986154)

  - CVE-2016-5731: XSS through FPD (boo#986154)

  - CVE-2016-5733: Multiple XSS vulnerabilities (boo#986154)

  - CVE-2016-5739: Referrer leak in transformations     (boo#986154)

This non-security issues was fixed :

  - Fix issue Setup script doesn't use input type 'password'     in all relevant locations

ID	Name	Product	Family	Severity
99663	phpMyAdmin 4.6.x < 4.6.3 Multiple Vulnerabilities (PMASA-2016-17 - PMASA-2016-28)	Nessus	CGI abuses	critical
99662	phpMyAdmin 4.4.x < 4.4.15.7 Multiple Vulnerabilities (PMASA-2016-17, PMASA-2016-19, PMASA-2016-21 - PMASA-2016-24, PMASA-2016-26 - PMASA-2016-28)	Nessus	CGI abuses	critical
99661	phpMyAdmin 4.0.x < 4.0.10.16 Multiple Vulnerabilities (PMASA-2016-17, PMASA-2016-22 - PMASA-2016-24, PMASA-2016-26 - PMASA-2016-28)	Nessus	CGI abuses	critical
96426	GLSA-201701-32 : phpMyAdmin: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
92527	Debian DSA-3627-1 : phpmyadmin - security update	Nessus	Debian Local Security Checks	high
92326	Debian DLA-551-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	high
91939	FreeBSD : phpMyAdmin -- multiple vulnerabilities (e7028e1d-3f9b-11e6-81f9-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	critical
91889	openSUSE Security Update : phpMyAdmin (openSUSE-2016-806)	Nessus	SuSE Local Security Checks	critical
91888	openSUSE Security Update : phpMyAdmin (openSUSE-2016-804)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2016-5739

high

Tenable Plugins

critical

critical

critical

critical

high

high

critical

critical

critical