Advisories » MGASA-2016-0291

Updated phpmyadmin packages fix security vulnerability

Publication date: 31 Aug 2016
Modification date: 31 Aug 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6606 , CVE-2016-6607 , CVE-2016-6609 , CVE-2016-6610 , CVE-2016-6611 , CVE-2016-6612 , CVE-2016-6613 , CVE-2016-6614 , CVE-2016-6615 , CVE-2016-6616 , CVE-2016-6618 , CVE-2016-6619 , CVE-2016-6620 , CVE-2016-6622 , CVE-2016-6623 , CVE-2016-6624 , CVE-2016-6625 , CVE-2016-6626 , CVE-2016-6627 , CVE-2016-6628 , CVE-2016-6629 , CVE-2016-6630 , CVE-2016-6631 , CVE-2016-6632 , CVE-2016-6633

Description

In phpMyAdmin before 4.4.15.8, the decryption of the username/password is
vulnerable to a padding oracle attack. The can allow an attacker who has
access to a user's browser cookie file to decrypt the username and
password. Also, the same initialization vector (IV) is used to hash the
username and password stored in the phpMyAdmin cookie. If a user has the
same password as their username, an attacker who examines the browser
cookie can see that they are the same (CVE-2016-6606).

In phpMyAdmin before 4.4.15.8, multiple vulnerabilities have been
discovered  in the following areas of phpMyAdmin: Zoom search, GIS editor,
Relation view, several Transformations, XML export, MediaWiki export,
Designer, when the MySQL server is running with a specially-crafted
log_bin directive, Database tab, Replication feature, and Database search
(CVE-2016-6607).

In phpMyAdmin before 4.4.15.8, a vulnerability was found where a specially
crafted database name could be used to run arbitrary PHP commands through
the array export feature (CVE-2016-6609).

In phpMyAdmin before 4.4.15.8, a full path disclosure vulnerability was
discovered where a user can trigger a particular error in the export
mechanism to discover the full path of phpMyAdmin on the disk
(CVE-2016-6610).

In phpMyAdmin before 4.4.15.8, a vulnerability was reported where a
specially crafted database and/or table name can be used to trigger an SQL
injection attack through the export functionality (CVE-2016-6611).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where a user
can exploit the LOAD LOCAL INFILE functionality to expose files on the
server to the database system (CVE-2016-6612).

In phpMyAdmin before 4.4.15.8, a vulnerability was found where a user can
specially craft a symlink on disk, to a file which phpMyAdmin is permitted
to read but the user is not, which phpMyAdmin will then expose to the user
(CVE-2016-6613).

In phpMyAdmin before 4.4.15.8, a vulnerability was reported with the %u
username replacement functionality of the SaveDir and UploadDir features.
When the username substitution is configured, a specially-crafted user
name can be used to circumvent restrictions to traverse the file system
(CVE-2016-6614).

In phpMyAdmin before 4.4.15.8, multiple XSS vulnerabilities were found in
the following areas: Navigation pane and database/table hiding feature,
the "Tracking" feature, and GIS visualization feature (CVE-2016-6615).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered in the
following features where a user can execute an SQL injection attack
against the account of the control user: User group Designer
(CVE-2016-6616).

In phpMyAdmin before 4.4.15.8, a vulnerability was found in the
transformation feature allowing a user to trigger a denial-of-service
(DOS) attack against the server (CVE-2016-6618).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered in the user
interface preference feature where a user can execute an SQL injection
attack against the account of the control user (CVE-2016-6619).

In phpMyAdmin before 4.4.15.8, a vulnerability was reported where some
data is passed to the PHP unserialize() function without verification that
it's valid serialized data. A malicious user may be able to manipulate the
stored data in a way to result in code being loaded and executed
(CVE-2016-6620).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an
unauthenticated user is able to execute a denial-of-service (DOS) attack
by forcing persistent connections when phpMyAdmin is running with
$cfg['AllowArbitraryServer']=true; (CVE-2016-6622).

In phpMyAdmin before 4.4.15.8, a vulnerability has been reported where a
malicious authorized user can cause a denial-of-service (DOS) attack on a
server by passing large values to a loop (CVE-2016-6623).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where, under
certain circumstances, it may be possible to circumvent the phpMyAdmin
IP-based authentication rules. When phpMyAdmin is used with IPv6 in a
proxy server environment, and the proxy server is in the allowed range but
the attacking computer is not allowed, this vulnerability can allow the
attacking computer to connect despite the IP rules (CVE-2016-6624).

In phpMyAdmin before 4.4.15.8, a vulnerability was reported where an
attacker can determine whether a user is logged in to phpMyAdmin
(CVE-2016-6625).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an
attacker could redirect a user to a malicious web page (CVE-2016-6626).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an
attacker can determine the phpMyAdmin host location through the file
url.php (CVE-2016-6627).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an
attacker may be able to trigger a user to download a specially crafted
malicious SVG file (CVE-2016-6628).

In phpMyAdmin before 4.4.15.8, a vulnerability was reported with the
$cfg['ArbitraryServerRegexp'] configuration directive. An attacker could
reuse certain cookie values in a way of bypassing the servers defined by
ArbitraryServerRegexp (CVE-2016-6629).

In phpMyAdmin before 4.4.15.8, an authenticated user can trigger a
denial-of-service (DOS) attack by entering a very long password at the
change password dialog (CVE-2016-6630).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where a user
can execute a remote code execution attack against a server when
phpMyAdmin is being run as a CGI application. Under certain server
configurations, a user can pass a query string which is executed as a
command-line argument by the file generator_plugin.sh (CVE-2016-6631).

In phpMyAdmin before 4.4.15.8, a flaw was discovered where, under certain
conditions, phpMyAdmin may not delete temporary files during the import
of ESRI files (CVE-2016-6632).

In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where
phpMyAdmin can be used to trigger a remote code execution attack against
certain PHP installations (CVE-2016-6633).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19204
• https://www.phpmyadmin.net/security/PMASA-2016-29/
• https://www.phpmyadmin.net/security/PMASA-2016-30/
• https://www.phpmyadmin.net/security/PMASA-2016-32/
• https://www.phpmyadmin.net/security/PMASA-2016-33/
• https://www.phpmyadmin.net/security/PMASA-2016-34/
• https://www.phpmyadmin.net/security/PMASA-2016-35/
• https://www.phpmyadmin.net/security/PMASA-2016-36/
• https://www.phpmyadmin.net/security/PMASA-2016-37/
• https://www.phpmyadmin.net/security/PMASA-2016-38/
• https://www.phpmyadmin.net/security/PMASA-2016-39/
• https://www.phpmyadmin.net/security/PMASA-2016-41/
• https://www.phpmyadmin.net/security/PMASA-2016-42/
• https://www.phpmyadmin.net/security/PMASA-2016-43/
• https://www.phpmyadmin.net/security/PMASA-2016-45/
• https://www.phpmyadmin.net/security/PMASA-2016-46/
• https://www.phpmyadmin.net/security/PMASA-2016-47/
• https://www.phpmyadmin.net/security/PMASA-2016-48/
• https://www.phpmyadmin.net/security/PMASA-2016-49/
• https://www.phpmyadmin.net/security/PMASA-2016-50/
• https://www.phpmyadmin.net/security/PMASA-2016-51/
• https://www.phpmyadmin.net/security/PMASA-2016-52/
• https://www.phpmyadmin.net/security/PMASA-2016-53/
• https://www.phpmyadmin.net/security/PMASA-2016-54/
• https://www.phpmyadmin.net/security/PMASA-2016-55/
• https://www.phpmyadmin.net/security/PMASA-2016-56/
• https://www.phpmyadmin.net/files/4.4.15.6/
• https://www.phpmyadmin.net/news/2016/8/16/phpmyadmin-401017-44158-and-464-are-released/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6606
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6607
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6609
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6610
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6611
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6612
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6613
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6614
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6615
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6616
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6618
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6619
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6620
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6622
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6623
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6624
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6625
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6626
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6627
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6628
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6629
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6630
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6631
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6632
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6633

SRPMS

5/core

• phpmyadmin-4.4.15.8-1.mga5