openSUSE-SU-2020:1675

openSUSE-SU-2020:1806

[debian-lts-announce] 20201025 [SECURITY] [DLA 2413-1] phpmyadmin security update

FEDORA-2020-43d8624421

FEDORA-2020-eadda524a8

FEDORA-2020-4e78c86902

https://www.phpmyadmin.net/security/PMASA-2020-6/

According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.9.x prior to 4.9.6 or 5.0.x prior to 5.0.3. It is, therefore, affected by multiple vulnerabilities.

  - phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted     link. (CVE-2020-26934)

  - An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL     injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature.
    An attacker could use this flaw to inject malicious SQL in to a query. (CVE-2020-26935)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-4639-1 advisory.

  - Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows     remote authenticated users to inject arbitrary web script or HTML via a crafted URL. (CVE-2018-7260)

  - An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error     in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage     tables, although these can easily be created in any database to which the attacker has access. An attacker     must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to     circumvent the login system. (CVE-2018-19968)

  - In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can     deliver a payload to a user through a crafted database/table name. (CVE-2018-19970)

  - An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted     username can be used to trigger a SQL injection attack through the designer feature. (CVE-2019-6798)

  - An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is     set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the     web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the     inadvertent ignoring of options(MYSQLI_OPT_LOCAL_INFILE calls. (CVE-2019-6799)

  - An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially     crafted database name can be used to trigger an SQL injection attack through the designer feature.
    (CVE-2019-11768)

  - An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to     trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a     broken  tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a     payload (such as a specific INSERT or DELETE statement) to the victim. (CVE-2019-12616)

  - In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A     malicious user could inject custom SQL in place of their own username when creating queries to this page.
    An attacker must have a valid MySQL account to access the server. (CVE-2020-5504)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered     where certain parameters are not properly escaped when generating certain queries for search actions in     libraries/classes/Controllers/Table/TableSearchController.php. An attacker can generate a crafted database     or table name. The attack can be performed if a user attempts certain search operations on the malicious     database or table. (CVE-2020-10802)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where     malicious code could be used to trigger an XSS attack through retrieving and displaying results (in     tbl_get_field.php and libraries/classes/Display/Results.php). The attacker must be able to insert crafted     data into certain database tables, which when retrieved (for instance, through the Browse tab) can trigger     the XSS attack. (CVE-2020-10803)

  - In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval     of the current username (in libraries/classes/Server/Privileges.php and     libraries/classes/UserPassword.php). A malicious user with access to the server could create a crafted     username, and then trick the victim into performing specific actions with that user account (such as     editing its privileges). (CVE-2020-10804)

  - phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted     link. (CVE-2020-26934)

  - An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL     injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature.
    An attacker could use this flaw to inject malicious SQL in to a query. (CVE-2020-26935)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for phpMyAdmin fixes the following issues :

phpMyAdmin was updated to 4.9.7 (boo#1177842) :

  - Fix two factor authentication that was broken in 4.9.6

  - Fix incompatibilities with older PHP versions

Update to 4.9.6 :

  - Fixed XSS relating to the transformation feature     (boo#1177561 CVE-2020-26934, PMASA-2020-5)

  - Fixed SQL injection vulnerability in SearchController     (boo#1177562 CVE-2020-26935, PMASA-2020-6) 

Update to 4.9.5 :

This is a security release containing several bug fixes.

  - CVE-2020-10804: SQL injection vulnerability in the user     accounts page, particularly when changing a password     (boo#1167335, PMASA-2020-2)

  - CVE-2020-10802: SQL injection vulnerability relating to     the search feature (boo#1167336, PMASA-2020-3)

  - CVE-2020-10803: SQL injection and XSS having to do with     displaying results (boo#1167337, PMASA-2020-4)

  - Removing of the 'options' field for the external     transformation.

Several vulnerabilities were found in package phpmyadmin.

CVE-2019-19617

phpMyAdmin does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes /Footer.php.

CVE-2020-26934

A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature.

If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

CVE-2020-26935

A SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.

For Debian 9 stretch, these problems have been fixed in version 4.6.6-4+deb9u2.

We recommend that you upgrade your phpmyadmin packages.

For the detailed security status of phpmyadmin please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/phpmyadmin

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 5.0.3** (2020-10-09)

  - issue #15983 Require twig ^2.9

  - issue Fix option to import files locally appearing as     not available

  - issue #16048 Fix to allow NULL as a default bit value

  - issue #16062 Fix 'htmlspecialchars() expects parameter 1     to be string, null given' on Export xml

  - issue #16078 Fix no charts in monitor when using a     decimal separator ','

  - issue #16041 Fix IN(...) clause doesn't permit multiple     values on 'Search' page

  - issue #14411 Support double tap to edit on mobile

  - issue #16043 Fix php error 'Use of undefined constant     MYSQLI_TYPE_JSON' when using the mysqlnd extension

  - issue #14611 Fix fatal JS error on index creation after     using Enter key to submit the form

  - issue #16012 Set 'axis-order' to swap lon and lat on     MySQL >= 8.1

  - issue #16104 Fixed overwriting a bookmarked query causes     a PHP fatal error

  - issue Fix typo in a condition in the Sql class

  - issue #15996 Fix local setup doc links pointing to a     wrong location

  - issue #16093 Fix error importing utf-8 with bom sql file

  - issue #16089 2FA UX enhancement: autofocus 2FA input

  - issue #16127 Fix table column description PHP error when     ['DisableIS'] = true;

  - issue #16130 Fix local documentation links display when     a PHP extension is missing

  - issue Fix some twig code deprecations for php 8

  - issue Fix ENUM and SET display when editing procedures     and functions

  - issue Keep full query state on 'auto refresh' process     list

  - issue Keep columns order on 'auto refresh' process list

  - issue Fixed editing a failed query from the error     message

  - issue #16166 Fix the alter user privileges query to make     it MySQL 8.0.11+ compatible

  - issue Fix copy table to another database when the nbr of     DBs is > $cfg['MaxDbList']

  - issue #16157 Fix relations of tables having spaces or     special chars not showing in the Designer

  - issue #16052 Fix a very rare JS error occuring on     mousemove event

  - issue #16162 Make a foreign key link clickable in a new     tab after the value was saved and replaced

  - issue #16163 Fixed a PHP notice 'Undefined index:
    column_info' on views

  - issue #14478 Fix the data stream when exporting data in     file mode

  - issue #16184 Fix templates/ directory not found error

  - issue #16184 Remove chdir logic to fix PHP fatal error     'Uncaught TypeError: chdir()'

  - issue Support for Twig 3

  - issue Allow phpmyadmin/twig-i18n-extension ^3.0

  - issue #16201 Trim spaces for integer values in table     search

  - issue #16076 Fixed cannot edit or export TIMESTAMP     column with default CURRENT_TIMESTAMP in MySQL >= 8.0.13

  - issue #16226 Fix error 500 after copying a table

  - issue #16222 Fixed can't use the search page when the     table name has special characters

  - issue #16248 Fix zoom search is not performing input     validation on INT columns

  - issue #16248 Fix JavaScript error when typing in INT     fields on zoom search page

  - issue Fix type errors when using saved searches

  - issue #16261 Fix missing headings on modals of 'User     Accounts -> Export'

  - issue #16146 Fixed sorting did not keep the selector of     number of rows

  - issue #16194 Fixed SQL query does not appear in case of     editing view where definer is not you on MySQL 8

  - issue #16255 Fix tinyint(1) shown as INT on Search page

  - issue #16256 Fix 'Warning: error_reporting() has been     disabled for security reasons' on php 7.x

  - issue #15367 Fix 'Change or reconfigure primary server'     link

  - issue #15367 Fix first replica links, start, stop,     ignore links

  - issue #16058 Add 'PMA_single_signon_HMAC_secret' for     signon auths to make special links work and udate     examples

  - issue #16269 Support ReCaptcha v2 checkbox width     '$cfg['CaptchaMethod'] = 'checkbox';'

  - issue #14644 Use Doctum instead of Sami

  - issue #16086 Fix 'Browse' headings shift when scrolling

  - issue #15328 Fix no message after import of zipped     shapefile without php-zip

  - issue #14326 Fix PHP error when exporting without     php-zip

  - issue #16318 Fix Profiling doesn't sum the number of     calls

  - issue #16319 Fixed a Russian translation mistake on     search results total text

  - issue #15634 Only use session_set_cookie_params once on     PHP >= 7.3.0 versions for single signon auth

  - issue #14698 Fixed database named as 'New' (language     variable) causes PHP fatal error

  - issue #16355 Make textareas both sides resizable

  - issue #16366 Fix column definition form not showing     default value

  - issue #16342 Fixed multi-table query     (db_multi_table_query.php) alias show the same alias for     all columns

  - issue #15109 Fixed using ST_GeomFromText + GUI on insert     throws an error

  - issue #16325 Fixed editing Geometry data throws error on     using the GUI

  - issue [security] Fix XSS vulnerability with the     transformation feature (**PMASA-2020-5,     CVE-2020-26934**)

  - issue [security] Fix SQL injection vulnerability with     search feature (**PMASA-2020-6, CVE-2020-26935**)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for phpMyAdmin fixes the following issues :

  - phpMyAdmin was updated to 4.9.6

  - CVE-2020-26934: Fixed an XSS relating to the     transformation feature (boo#1177561).

  - CVE-2020-26935: Fixed a SQL injection in     SearchController (boo#1177562).

ID	Name	Product	Family	Severity
144649	phpMyAdmin 4.9.0 < 4.9.6 / 5.0.0 < 5.0.3 Multiple Vulnerabilities (PMASA-2020-5, PMASA-2020-6)	Nessus	CGI abuses	high
143119	Ubuntu 18.04 LTS : phpMyAdmin vulnerabilities (USN-4639-1)	Nessus	Ubuntu Local Security Checks	high
142572	openSUSE Security Update : phpMyAdmin (openSUSE-2020-1806)	Nessus	SuSE Local Security Checks	high
141901	Debian DLA-2413-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	high
141880	Fedora 33 : phpMyAdmin (2020-43d8624421)	Nessus	Fedora Local Security Checks	high
141555	Fedora 32 : phpMyAdmin (2020-4e78c86902)	Nessus	Fedora Local Security Checks	high
141554	Fedora 31 : phpMyAdmin (2020-eadda524a8)	Nessus	Fedora Local Security Checks	high
141507	openSUSE Security Update : phpMyAdmin (openSUSE-2020-1675)	Nessus	SuSE Local Security Checks	high

CVE-2020-26935

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins