Debian DLA-626-1 : phpmyadmin security update

critical Nessus Plugin ID 93566

Synopsis

The remote Debian host is missing a security update.

Description

Phpmyadmin, a web administration tool for MySQL, had several vulnerabilities reported.

CVE-2016-6606

A pair of vulnerabilities were found affecting the way cookies are stored.

The decryption of the username/password is vulnerable to a padding oracle attack. The can allow an attacker who has access to a user's browser cookie file to decrypt the username and password.

A vulnerability was found where the same initialization vector is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same — but the attacker can not directly decode these values from the cookie as it is still hashed.

CVE-2016-6607

Cross site scripting vulnerability in the replication feature

CVE-2016-6609

A specially crafted database name could be used to run arbitrary PHP commands through the array export feature.

CVE-2016-6611

A specially crafted database and/or table name can be used to trigger a SQL injection attack through the SQL export functionality.

CVE-2016-6612

A user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system.

CVE-2016-6613

A user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user.

CVE-2016-6614

A vulnerability was reported with the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially crafted user name can be used to circumvent restrictions to traverse the file system.

CVE-2016-6620

A vulnerability was reported where some data is passed to the PHP unserialize() function without verification that it's valid serialized data. Due to how the PHP function operates, unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.
Therefore, a malicious user may be able to manipulate the stored data in a way to exploit this weakness.

CVE-2016-6622

An unauthenticated user is able to execute a denial of service attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;.

CVE-2016-6623

A malicious authorized user can cause a denial of service attack on a server by passing large values to a loop.

CVE-2016-6624

A vulnerability was discovered where, under certain circumstances, it may be possible to circumvent the phpMyAdmin IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules.

CVE-2016-6630

An authenticated user can trigger a denial of service attack by entering a very long password at the change password dialog.

CVE-2016-6631

A vulnerability was discovered where a user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by shell scripts.

For Debian 7 'Wheezy', these problems have been fixed in version 3.4.11.1-2+deb7u6.

We recommend that you upgrade your phpmyadmin packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected phpmyadmin package.

See Also

https://lists.debian.org/debian-lts-announce/2016/09/msg00019.html

https://packages.debian.org/source/wheezy/phpmyadmin

Plugin Details

Severity: Critical

ID: 93566

File Name: debian_DLA-626.nasl

Version: 2.9

Type: local

Agent: unix

Published: 9/19/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:phpmyadmin, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 9/17/2016

Vulnerability Publication Date: 12/11/2016

Reference Information

CVE: CVE-2016-6606, CVE-2016-6607, CVE-2016-6609, CVE-2016-6611, CVE-2016-6612, CVE-2016-6613, CVE-2016-6614, CVE-2016-6620, CVE-2016-6622, CVE-2016-6623, CVE-2016-6624, CVE-2016-6630, CVE-2016-6631