openSUSE Security Update : phpMyAdmin (openSUSE-2016-1406)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to phpMyAdmin fixes security issues and bugs.

The following security issues were fixed :

- Unsafe generation of $cfg['blowfish_secret']

- phpMyAdmin's phpinfo functionality is removed

- AllowRoot and allow/deny rule bypass with specially
crafted username (PMASA-2016-60)

- Username matching weaknesses with allow/deny rules

- Possible to bypass logout timeout (PMASA-2016-62)

- Full path disclosure (FPD) weaknesses (PMASA-2016-63)

- Multiple XSS weaknesses (PMASA-2016-64)

- Multiple denial-of-service (DOS) vulnerabilities

- Possible to bypass white-list protection for URL
redirection (PMASA-2016-66)

- BBCode injection to login page (PMASA-2016-67)

- Denial-of-service (DOS) vulnerability in table
partitioning (PMASA-2016-68)

- Multiple SQL injection vulnerabilities (PMASA-2016-69 )

- Incorrect serialized string parsing (PMASA-2016-70)

- CSRF token not stripped from the URL (PMASA-2016-71)

The following bugfix changes are included :

- Fix for expanding in navigation pane

- Reintroduced a simplified version of PmaAbsoluteUri
directive (needed with reverse proxies)

- Fix editing of ENUM/SET/DECIMAL field structures

- Improvements to the parser

See also :

Solution :

Update the affected phpMyAdmin package.

Risk factor :


Family: SuSE Local Security Checks

Nessus Plugin ID: 95560 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now