phpMyAdmin 4.0.10.x < 4.0.10.17 / 4.4.15.x < 4.4.15.8 / 4.6.x < 4.6.4 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9538
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server contains a version of phpMyAdmin that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin 4.0.10.x prior to 4.0.10.17, 4.4.15.x prior to 4.4.15.8, and 4.6.x prior to 4.6.4 are unpatched, and therefore affected by the following vulnerabilities :

- A flaw exists that may lead to the unauthorized disclosure of sensitive information. The issue is due to the program using requests that contain an algorithm that is vulnerable to padding oracle attacks. This may allow a remote attacker to decode information without knowledge of the encryption key and gain access to a user's potentially sensitive personal information.
- A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'libraries/replication_gui.lib.php' script does not validate input to the 'username' and 'hostname' parameters before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows an XSS attack. vThis flaw exists because the database privilege check functionality does not validate input to database names before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows an XSS attack. This flaw exists because the remove partitioning functionality does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists in the 'libraries/plugins/export/ExportPhparray.class.php' script that is triggered as input passed via database names is not properly sanitized. This may allow a remote attacker to execute arbitrary commands.
- A flaw exists in 'libraries/plugin_interface.lib.php' that is triggered during the handling of errors when creating non-existent classes, which may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
- A flaw exists that may allow carrying out an SQL injection attack. The issue is due to the 'libraries/plugins/export/ExportSql.class.php' script not properly sanitizing input to database and table names. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists in the 'LOAD LOCAL INFILE' functionality that may allow an authenticated remote attacker to expose files on the server to the database system.
- A flaw exists as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against a file to cause the program to unexpectedly disclose arbitrary files.
- A flaw exists that allows traversing outside of a restricted path. The issue is due to the 'libraries/Util.class.php' script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') when handling the '%u' username replacement functionality of the 'SaveDir' and 'UploadDir' features. With a specially crafted request, a remote attacker can disclose arbitrary files.
- A flaw exists that allows an XSS attack. This flaw exists because the 'libraries/navigation/Nodes/Node_Database.class.php' script does not validate input to database names before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows an XSS attack. This flaw exists because the 'libraries/tracking.lib.php' script does not validate input when handling queries before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that allows an XSS attack. This flaw exists because the 'libraries/tbl_gis_visualization.lib.php' script does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that may allow carrying out an SQL injection attack. The issue is due to the program not properly sanitizing input when handling user group queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists that may allow carrying out an SQL injection attack. The issue is due to the 'libraries/display_export.lib.php' script not properly sanitizing input when handling database or table names. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists in the 'transformation_wrapper.php' script that is triggered during the scaling of image dimensions. This may allow a remote attacker to cause a denial of service for the server.
- A flaw exists that may allow carrying out an SQL injection attack. The issue is due to the user interface preference feature not properly sanitizing input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
- A flaw exists in the 'unserialize()' function that is triggered during the handling of user-supplied data. This may allow a remote attacker to execute arbitrary code.
- A flaw exists in the 'AllowArbitraryServer' option that is triggered when a remote attacker to forces persistent connections. This may allow the attacker to cause a denial of service.
- A flaw exists that is triggered during the handling of looped large values. This may allow an authenticated remote attacker to cause a denial of service on a server.
- A flaw exists in the 'libraries/ip_allow_deny.lib.php' script that may allow a remote attacker to bypass IP-based authentication rules.
- An unspecified flaw exists that may allow a remote attacker to determine whether a user is logged into the program.
- A flaw exists that allows a cross-site redirection attack. This flaw exists because the application does not validate input upon submission to the 'libraries/core.lib.php' script. This could allow a context-dependent attacker to create a specially crafted link that, if followed, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing.
- A flaw exists in the 'url.php' script that is triggered during the handling of HTTP headers. This may allow a remote attacker to disclose host location information.
- A flaw exists in the 'file_echo.php' script that may allow a remote attacker to cause a different user to download a specially crafted SVG file.
- A flaw exists in the 'ArbitraryServerRegexp' configuration directive that may allow a remote attacker to reuse certain cookie values and bypass intended server definition limits.
- A flaw exists in the 'user_password.php' script that is triggered during the handling of an overly long password. This may allow a remote attacker to cause a denial of service.
- A flaw exists in '/libraries/plugins/transformations/generator_plugin.sh' that is triggered during the handling of query strings. This may allow a remote attacker to execute arbitrary code.
- A flaw exists in the dbase extension in the 'libraries/plugins/import/ImportShp.class.php' script that is due to the program failing to delete temporary files during the import of ESRI files. This may allow a remote attacker to cause a denial of service.
- A flaw exists in the 'dbase' extension that is triggered during the handling of SHP import. This may allow a remote attacker to execute arbitrary code.

Solution

Upgrade to phpMyAdmin version 4.6.4 or later. If 4.6.x cannot be obtained, versions 4.4.15.8 and 4.0.10.17 have also been patched for these vulnerabilities.

See Also

https://www.phpmyadmin.net/news/2016/8/16/phpmyadmin-401017-44158-and-464-are-released

https://www.phpmyadmin.net/security/PMASA-2016-29

https://www.phpmyadmin.net/security/PMASA-2016-30

https://www.phpmyadmin.net/security/PMASA-2016-31

https://www.phpmyadmin.net/security/PMASA-2016-32

https://www.phpmyadmin.net/security/PMASA-2016-33

https://www.phpmyadmin.net/security/PMASA-2016-34

https://www.phpmyadmin.net/security/PMASA-2016-35

https://www.phpmyadmin.net/security/PMASA-2016-36

https://www.phpmyadmin.net/security/PMASA-2016-37

https://www.phpmyadmin.net/security/PMASA-2016-38

https://www.phpmyadmin.net/security/PMASA-2016-39

https://www.phpmyadmin.net/security/PMASA-2016-40

https://www.phpmyadmin.net/security/PMASA-2016-41

https://www.phpmyadmin.net/security/PMASA-2016-42

https://www.phpmyadmin.net/security/PMASA-2016-43

https://www.phpmyadmin.net/security/PMASA-2016-44

https://www.phpmyadmin.net/security/PMASA-2016-45

https://www.phpmyadmin.net/security/PMASA-2016-46

https://www.phpmyadmin.net/security/PMASA-2016-47

https://www.phpmyadmin.net/security/PMASA-2016-48

https://www.phpmyadmin.net/security/PMASA-2016-49

https://www.phpmyadmin.net/security/PMASA-2016-50

https://www.phpmyadmin.net/security/PMASA-2016-51

https://www.phpmyadmin.net/security/PMASA-2016-52

https://www.phpmyadmin.net/security/PMASA-2016-53

https://www.phpmyadmin.net/security/PMASA-2016-54

https://www.phpmyadmin.net/security/PMASA-2016-55

https://www.phpmyadmin.net/security/PMASA-2016-56

Plugin Details

Severity: Critical

ID: 9538

Family: CGI

Published: 8/30/2016

Updated: 3/6/2019

Dependencies: 9102

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*

Patch Publication Date: 8/16/2016

Vulnerability Publication Date: 8/16/2016

Reference Information

CVE: CVE-2016-6606, CVE-2016-6607, CVE-2016-6609, CVE-2016-6610, CVE-2016-6611, CVE-2016-6612, CVE-2016-6613, CVE-2016-6614, CVE-2016-6618, CVE-2016-6619, CVE-2016-6620, CVE-2016-6622, CVE-2016-6623, CVE-2016-6624, CVE-2016-6625, CVE-2016-6626, CVE-2016-6627, CVE-2016-6628, CVE-2016-6629, CVE-2016-6630, CVE-2016-6631, CVE-2016-6632, CVE-2016-6633, CVE-2016-6608, CVE-2016-6615, CVE-2016-6616, CVE-2016-6617

BID: 92489, 92490, 92491, 92492, 92493, 92494, 92496, 92497, 92500, 92501