openSUSE Security Update : phpMyAdmin (openSUSE-2016-1406)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to phpMyAdmin 4.4.15.9 fixes security issues and bugs.

The following security issues were fixed :

- Unsafe generation of $cfg['blowfish_secret']
(PMASA-2016-58)

- phpMyAdmin's phpinfo functionality is removed
(PMASA-2016-59)

- AllowRoot and allow/deny rule bypass with specially
crafted username (PMASA-2016-60)

- Username matching weaknesses with allow/deny rules
(PMASA-2016-61)

- Possible to bypass logout timeout (PMASA-2016-62)

- Full path disclosure (FPD) weaknesses (PMASA-2016-63)

- Multiple XSS weaknesses (PMASA-2016-64)

- Multiple denial-of-service (DOS) vulnerabilities
(PMASA-2016-65)

- Possible to bypass white-list protection for URL
redirection (PMASA-2016-66)

- BBCode injection to login page (PMASA-2016-67)

- Denial-of-service (DOS) vulnerability in table
partitioning (PMASA-2016-68)

- Multiple SQL injection vulnerabilities (PMASA-2016-69 )

- Incorrect serialized string parsing (PMASA-2016-70)

- CSRF token not stripped from the URL (PMASA-2016-71)

The following bugfix changes are included :

- Fix for expanding in navigation pane

- Reintroduced a simplified version of PmaAbsoluteUri
directive (needed with reverse proxies)

- Fix editing of ENUM/SET/DECIMAL field structures

- Improvements to the parser

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1012271

Solution :

Update the affected phpMyAdmin package.

Risk factor :

Medium

Family: SuSE Local Security Checks

Nessus Plugin ID: 95560 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now