phpMyAdmin 4.0.x < 184.108.40.206 Multiple Vulnerabilities (PMASA-2016-17, PMASA-2016-22 - PMASA-2016-24, PMASA-2016-26 - PMASA-2016-28)
High Nessus Plugin ID 99661
SynopsisThe remote web server hosts a PHP application that is affected by multiple vulnerabilities.
DescriptionAccording to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 220.127.116.11. It is, therefore, affected by the following vulnerabilities :
- A flaw exists in the setup/frames/index.inc.php script that allows an unauthenticated, remote attacker to access the program on a non-HTTPS connection and thereby inject arbitrary BBCode against HTTP sessions. (CVE-2016-5701)
- A information disclosure vulnerability exists in the Example OpenID Authentication and Setup scripts that allows an remote attacker, via multiple vectors, to disclose the application's installation path in an error message. (CVE-2016-5730)
- A reflected cross-site scripting (XSS) vulnerability exists in the examples/openid.php script when handling OpenID error messages due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-5731)
- Multiple cross-site scripting (XSS) vulnerabilities exist due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit these, via specially crafted requests, to execute arbitrary script code or HTML in a user's browser session. (CVE-2016-5733)
- A flaw exists in the table search and replace feature due to improper sanitization of parameters before passing them to the preg_replace() function. An unauthenticated, remote attacker can exploit this, via a specially crafted string, to execute arbitrary PHP code. (CVE-2016-5734)
- An information disclosure vulnerability exists in the libraries/Header.class.php script when handling transformations due to a failure to use the 'no-referer' Content Security Policy (CSP) protection mechanism. An unauthenticated, remote attacker can exploit this, via a specially crafted Transformation, to disclose sensitive authentication token information, which then can be potentially used to facilitate cross-site request forgery (XSRF) attacks. (CVE-2016-5739)
Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to phpMyAdmin version 18.104.22.168 or later. Alternatively, apply the patches referenced in the vendor advisories.