Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

phpMyAdmin 4.4.x < 4.4.15.3 / 4.5.x < 4.5.4 Multiple Vulnerabilities (PMASA-2016-6, PMASA-2016-7)

Low

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin 4.4.x prior to 4.4.15.3, or 4.5.x prior to 4.5.4 are unpatched for the following vulnerabilities :

- An information disclosure vulnerability exists in the 'AES.php' and 'Rijndael.php' scripts that allows a remote attacker, via a specially crafted request, to disclose the software's installation path. (CVE-2016-2042) - A cross-site scripting vulnerability exists due to improper validation of user-supplied input to the normalization script when handling a crafted table name before returning it to users. An authenticated, remote attacker can exploit this, via specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-2043)

Solution

Upgrade to phpMyAdmin 4.4.15.3 / 4.5.4 or later. Alternatively, apply the patch referenced in the vendor advisory.