openSUSE Security Update : phpMyAdmin (openSUSE-2016-1406)

Medium Nessus Plugin ID 95560


The remote openSUSE host is missing a security update.


This update to phpMyAdmin fixes security issues and bugs.

The following security issues were fixed :

- Unsafe generation of $cfg['blowfish_secret'] (PMASA-2016-58)

- phpMyAdmin's phpinfo functionality is removed (PMASA-2016-59)

- AllowRoot and allow/deny rule bypass with specially crafted username (PMASA-2016-60)

- Username matching weaknesses with allow/deny rules (PMASA-2016-61)

- Possible to bypass logout timeout (PMASA-2016-62)

- Full path disclosure (FPD) weaknesses (PMASA-2016-63)

- Multiple XSS weaknesses (PMASA-2016-64)

- Multiple denial-of-service (DOS) vulnerabilities (PMASA-2016-65)

- Possible to bypass white-list protection for URL redirection (PMASA-2016-66)

- BBCode injection to login page (PMASA-2016-67)

- Denial-of-service (DOS) vulnerability in table partitioning (PMASA-2016-68)

- Multiple SQL injection vulnerabilities (PMASA-2016-69 )

- Incorrect serialized string parsing (PMASA-2016-70)

- CSRF token not stripped from the URL (PMASA-2016-71)

The following bugfix changes are included :

- Fix for expanding in navigation pane

- Reintroduced a simplified version of PmaAbsoluteUri directive (needed with reverse proxies)

- Fix editing of ENUM/SET/DECIMAL field structures

- Improvements to the parser


Update the affected phpMyAdmin package.

See Also

Plugin Details

Severity: Medium

ID: 95560

File Name: openSUSE-2016-1406.nasl

Version: $Revision: 2.1 $

Type: local

Agent: unix

Published: 2016/12/06

Modified: 2016/12/06

Dependencies: 12634

Risk Information

Risk Factor: Medium

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:phpMyAdmin, cpe:/o:novell:opensuse:13.2, cpe:/o:novell:opensuse:42.1, cpe:/o:novell:opensuse:42.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2016/12/05