An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.

The version of phpMyAdmin installed on the remote host does not correctly block access to LOAD DATA INFILE function leading to an attacker being able to read any file on the filesystem accessible with the web server permissions. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4639-1 advisory.

  - Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows     remote authenticated users to inject arbitrary web script or HTML via a crafted URL. (CVE-2018-7260)

  - An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error     in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage     tables, although these can easily be created in any database to which the attacker has access. An attacker     must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to     circumvent the login system. (CVE-2018-19968)

  - In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can     deliver a payload to a user through a crafted database/table name. (CVE-2018-19970)

  - An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted     username can be used to trigger a SQL injection attack through the designer feature. (CVE-2019-6798)

  - An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is     set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the     web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the     inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFILE calls. (CVE-2019-6799)

  - An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially     crafted database name can be used to trigger an SQL injection attack through the designer feature.
    (CVE-2019-11768)

  - An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to     trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a     broken  tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a     payload (such as a specific INSERT or DELETE statement) to the victim. (CVE-2019-12616)

  - In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A     malicious user could inject custom SQL in place of their own username when creating queries to this page.
    An attacker must have a valid MySQL account to access the server. (CVE-2020-5504)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered     where certain parameters are not properly escaped when generating certain queries for search actions in     libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database     or table name. The attack can be performed if a user attempts certain search operations on the malicious     database or table. (CVE-2020-10802)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where     malicious code could be used to trigger an XSS attack through retrieving and displaying results (in     tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted     data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger     the XSS attack. (CVE-2020-10803)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval     of the current username (in libraries/classes/Server/Privileges.php and     libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted     username, and then trick the victim into performing specific actions with that user account (such as     editing its privileges). (CVE-2020-10804)

  - phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted     link. (CVE-2020-26934)

  - An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL     injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature.
    An attacker could use this flaw to inject malicious SQL in to a query. (CVE-2020-26935)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.8.5. It is, therefore, affected by multiple vulnerabilities.

  - When AllowArbitraryServer configuration set to true,     with the use of a rogue MySQL server, an attacker can     read any file on the server that the web server's user     can access.phpMyadmin attempts to block the use of LOAD     DATA INFILE, but due to a bug in PHP, this check is not     honored. Additionally, when using the 'mysql' extension,     mysql.allow_local_infile is enabled by default. Both of     these conditions allow the attack to occur.
    (CVE-2019-6799)

  - A vulnerability was reported where a specially crafted     username can be used to trigger an SQL injection attack     through the designer feature. (CVE-2019-6798)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.x prior to 4.8.5. It is, therefore, affected by at least one of the following vulnerabilities:

  - A SQL injection (SQLi) vulnerability exists in phpMyAdmin due to improper validation of user-supplied input.
  An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database,   resulting in the disclosure or manipulation of arbitrary data (CVE-2019-6798).

  - An arbitrary file read vulnerability exists in phpMyAdmin when the AllowArbitraryServer configuration setting is   set to true. An unauthenticated, remote attacker can exploit this, via a rogue MySQL server, to read arbitrary files   and disclose sensitive information (CVE-2019-6799).

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

An information leak issue was discovered in phpMyAdmin. An attacker can read any file on the server that the web server's user can access.
This is related to the mysql.allow_local_infile PHP configuration.
When the AllowArbitraryServer configuration setting is set to false (default), the attacker needs a local MySQL account. When set to true, the attacker can exploit this with the use of a rogue MySQL server.

For Debian 8 'Jessie', this problem has been fixed in version 4:4.2.12-2+deb8u5.

We recommend that you upgrade your phpmyadmin packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for phpMyAdmin to version 4.8.5 fixes the following issues :

Security issues fixed :

  - CVE-2019-6799: Fixed an arbitrary file read     vulnerability (boo#1123272)

  - CVE-2019-6798: Fixed a SQL injection in the designer     interface (boo#1123271)

Other changes :

  - Fix rxport to SQL format not available

  - Fix QR code not shown when adding two-factor     authentication to a user account

  - Fix issue with adding a new user in MySQL 8.0.11 and     newer

  - Fix frozen interface relating to Text_Plain_Sql plugin

  - Fix missing table level operations tab

ID	Name	Product	Family	Severity
113294	phpMyAdmin 4.x < 4.8.5 Arbitary File Read	Web App Scanning	Component Vulnerability	medium
143119	Ubuntu 18.04 LTS : phpMyAdmin vulnerabilities (USN-4639-1)	Nessus	Ubuntu Local Security Checks	critical
126705	phpMyAdmin 4.0 < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1), (PMASA-2019-2)	Nessus	CGI abuses	critical
123416	phpMyAdmin 4.x < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1) (PMASA-2019-2)	Nessus	CGI abuses	critical
122490	Debian DLA-1692-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	medium
122294	openSUSE Security Update : phpMyAdmin (openSUSE-2019-194)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2019-6799

medium

Tenable Plugins

medium

critical

critical

critical

medium

critical