phpMyAdmin 4.0.x < 4.0.10.17 / 4.4.x < 4.4.15.8 / 4.6.x < 4.6.4 Multiple Vulnerabilities (PMASA-2016-29 - PMASA-2016-56) (deprecated)

critical Nessus Plugin ID 95027
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

This plugin has been deprecated.

Description

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.17, 4.4.x prior to 4.4.15.8, or 4.6.x prior to 4.6.4. It is, therefore, affected by the following vulnerabilities :

- An information disclosure vulnerability exists due to the use of an algorithm that is vulnerable to padding oracle attacks. An unauthenticated, remote attacker can exploit this to decrypt information without the key, resulting in the disclosure of usernames and passwords.
(CVE-2016-6606)

- A cross-site scripting (XSS) vulnerability exists in the replication_gui.lib.php script due to improper validation of user-supplied input to the 'username' and 'hostname' parameters. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-6607)

- A cross-site scripting (XSS) vulnerability exists in the database privilege check functionality and the remove partitioning functionality due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that this vulnerability only affects 4.6.x versions. (CVE-2016-6608)

- A remote command execution vulnerability exists in the ExportPhparray.class.php script due to improper validation of user-supplied input passed via database names. An authenticated, remote attacker can exploit this to execute arbitrary PHP commands. (CVE-2016-6609)

- An information disclosure vulnerability exists in the plugin_interface.lib.php script due to improper handling of errors when creating non-existent classes. An authenticated, remote attacker can exploit this to disclose the installation path. (CVE-2016-6610)

- A SQL injection vulnerability exists in the ExportSql.class.php script due to improper sanitization of user-supplied input to database and table names. An authenticated, remote attacker can exploit this to manipulate SQL queries in the back-end database, resulting in the manipulation and disclosure of arbitrary data. (CVE-2016-6611)

- An information disclosure vulnerability exists in the LOAD LOCAL INFILE functionality that allows an authenticated, remote attacker to expose files on the server to the database system. (CVE-2016-6612)

- An information disclosure vulnerability exists due to insecure creation of temporary files. A local attacker can exploit this, via a symlink attack, to disclose arbitrary files. (CVE-2016-6613)

- A directory traversal vulnerability exists in the Util.class.php script due to improper sanitization of user-supplied input when handling the %u username replacement functionality of the SaveDir and UploadDir features. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose arbitrary files. (CVE-2016-6614)

- Multiple cross-site scripting (XSS) vulnerabilities exist due to improper validation of user-supplied input.
An unauthenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that these vulnerabilities do not affect 4.0.x versions.
(CVE-2016-6615)

- A SQL injection vulnerability exists due to improper sanitization of user-supplied input when handling user group queries. An authenticated, remote attacker can exploit this to manipulate SQL queries in the back-end database, resulting in the manipulation and disclosure of arbitrary data. Note that this vulnerability does not affect 4.0.x versions. (CVE-2016-6616)

- A SQL injection vulnerability exists in the display_export.lib.php script due to improper sanitization of user-supplied input when handling database and table names. An authenticated, remote attacker can exploit this to manipulate SQL queries in the back-end database, resulting in the manipulation and disclosure of arbitrary data. Note that this vulnerability only affects 4.6.x versions.
(CVE-2016-6617)

- A denial of service vulnerability exists in the transformation_wrapper.php script due to improper scaling of image dimensions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6618)

- A SQL injection vulnerability exists in the user interface preference feature due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this to manipulate SQL queries in the back-end database, resulting in the manipulation and disclosure of arbitrary data.
(CVE-2016-6619)

- A remote code execution vulnerability exists in the unserialize() function due to improper validation of user-supplied data. An unauthenticated, remote attacker can exploit this to execute arbitrary code.
(CVE-2016-6620)

- A denial of service vulnerability exists when the AllowArbitraryServer option is enabled that allows an unauthenticated, remote attacker to cause a denial of service condition by forcing a persistent connection.
(CVE-2016-6622)

- A denial of service vulnerability exists due to improper handling of looped larger values. An authenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6623)

- A security bypass vulnerability exists in the ip_allow_deny.lib.php script that allows an unauthenticated, remote attacker to bypass IP-based authentication rules. (CVE-2016-6624)

- An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to determine whether a user is logged in or not. (CVE-2016-6625)

- A cross-site redirection vulnerability exists in the core.lib.php script due to a failure to validate user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to redirect the user to an arbitrary website. (CVE-2016-6626)

- An information disclosure vulnerability exists in the url.php script due to improper handling of HTTP headers.
An unauthenticated, remote attacker can exploit this to disclose host location information. (CVE-2016-6627)

- A flaw exists in the file_echo.php script that allows an unauthenticated, remote attacker to cause a different user to download a specially crafted SVG file.
(CVE-2016-6628)

- A flaw exists in the ArbitraryServerRegexp configuration directive that allows an unauthenticated, remote attacker to reuse certain cookie values and bypass intended server definition limits. (CVE-2016-6629)

- A denial of service vulnerability exists in the user_password.php script due to improper handling of an overly long password. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6630)

- A remote code execution vulnerability exists in the generator_plugin.sh script due to improper handling of query strings. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-6631)

- A denial of service vulnerability exists in the dbase extension in the ImportShp.class.php script due to a failure to delete temporary files during the import of ESRI files. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
(CVE-2016-6632)

- A remote code execution vulnerability exists in the dbase extension due to improper handling of SHP imports.
An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-6633)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

This plugin has been deprecated. Use phpmyadmin_pmasa_4_6_4.nasl (plugin ID 143282) instead.

See Also

https://www.phpmyadmin.net/security/PMASA-2016-29/

https://www.phpmyadmin.net/security/PMASA-2016-30/

https://www.phpmyadmin.net/security/PMASA-2016-31/

https://www.phpmyadmin.net/security/PMASA-2016-32/

https://www.phpmyadmin.net/security/PMASA-2016-33/

https://www.phpmyadmin.net/security/PMASA-2016-34/

https://www.phpmyadmin.net/security/PMASA-2016-35/

https://www.phpmyadmin.net/security/PMASA-2016-36/

https://www.phpmyadmin.net/security/PMASA-2016-37/

https://www.phpmyadmin.net/security/PMASA-2016-38/

https://www.phpmyadmin.net/security/PMASA-2016-39/

https://www.phpmyadmin.net/security/PMASA-2016-40/

https://www.phpmyadmin.net/security/PMASA-2016-41/

https://www.phpmyadmin.net/security/PMASA-2016-42/

https://www.phpmyadmin.net/security/PMASA-2016-43/

https://www.phpmyadmin.net/security/PMASA-2016-45/

https://www.phpmyadmin.net/security/PMASA-2016-46/

https://www.phpmyadmin.net/security/PMASA-2016-47/

https://www.phpmyadmin.net/security/PMASA-2016-48/

https://www.phpmyadmin.net/security/PMASA-2016-49/

https://www.phpmyadmin.net/security/PMASA-2016-50/

https://www.phpmyadmin.net/security/PMASA-2016-51/

https://www.phpmyadmin.net/security/PMASA-2016-52/

https://www.phpmyadmin.net/security/PMASA-2016-53/

https://www.phpmyadmin.net/security/PMASA-2016-54/

https://www.phpmyadmin.net/security/PMASA-2016-56/

Plugin Details

Severity: Critical

ID: 95027

File Name: phpmyadmin_pmasa_2016_29.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 11/21/2016

Updated: 12/31/2020

Dependencies: phpMyAdmin_detect.nasl

Configuration: Enable paranoid mode

Risk Information

CVSS Score Source: CVE-2016-6629

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Required KB Items: www/PHP, installed_sw/phpMyAdmin, Settings/ParanoidReport

Exploit Ease: No exploit is required

Patch Publication Date: 7/7/2016

Vulnerability Publication Date: 7/7/2016

Reference Information

CVE: CVE-2016-6606, CVE-2016-6607, CVE-2016-6608, CVE-2016-6609, CVE-2016-6610, CVE-2016-6611, CVE-2016-6612, CVE-2016-6613, CVE-2016-6614, CVE-2016-6615, CVE-2016-6616, CVE-2016-6617, CVE-2016-6618, CVE-2016-6619, CVE-2016-6620, CVE-2016-6622, CVE-2016-6623, CVE-2016-6624, CVE-2016-6625, CVE-2016-6626, CVE-2016-6627, CVE-2016-6628, CVE-2016-6629, CVE-2016-6630, CVE-2016-6631, CVE-2016-6632, CVE-2016-6633

BID: 92489, 92490, 92491, 92492, 92493, 92494, 92496, 92497, 92500, 92501, 93257, 93258