{ "schema_version": "1.6.2", "id": "MGASA-2016-0416", "published": "2016-12-09T08:42:46Z", "modified": "2016-12-09T08:14:14Z", "summary": "Updated phpmyadmin packages fix security vulnerability", "details": "In phpMyAdmin before 4.4.15.9, when the user does not specify a\nblowfish_secret key for encrypting cookies, phpMyAdmin generates one at\nruntime. A vulnerability was reported where the way this value is created\nusing a weak algorithm. This could allow an attacker to determine the\nuser's blowfish_secret and potentially decrypt their cookies\n(CVE-2016-9847).\n\nIn phpMyAdmin before 4.4.15.9, phpinfo.php shows PHP information including\nvalues of sensitive HttpOnly cookies (CVE-2016-9848).\n\nIn phpMyAdmin before 4.4.15.9, it is possible to bypass AllowRoot\nrestriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username\nby using Null Byte in the username (CVE-2016-9849).\n\nIn phpMyAdmin before 4.4.15.9, a vulnerability in username matching for\nthe allow/deny rules may result in wrong matches and detection of the\nusername in the rule due to non-constant execution time (CVE-2016-9850).\n\nIn phpMyAdmin before 4.4.15.9, with a crafted request parameter value it\nis possible to bypass the logout timeout (CVE-2016-9851).\n\nIn phpMyAdmin before 4.4.15.9, by calling some scripts that are part of\nphpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to\ndisplay a PHP error message which contains the full path of the directory\nwhere phpMyAdmin is installed. During an execution timeout in the export\nfunctionality, the errors containing the full path of the directory of\nphpMyAdmin is written to the export file (CVE-2016-9852, CVE-2016-9853,\nCVE-2016-9854, CVE-2016-9855).\n\nIn phpMyAdmin before 4.4.15.9, several XSS vulnerabilities have been\nreported, including an improper fix for PMASA-2016-10 and a weakness in a\nregular expression using in some JavaScript processing (CVE-2016-9856,\nCVE-2016-9857).\n\nIn phpMyAdmin before 4.4.15.9, with a crafted request parameter value it\nis possible to initiate a denial of service attack in saved searches\nfeature (CVE-2016-9858).\n\nIn phpMyAdmin before 4.4.15.9, with a crafted request parameter value it\nis possible to initiate a denial of service attack in import feature\n(CVE-2016-9859).\n\nIn phpMyAdmin before 4.4.15.9, an unauthenticated user can execute a\ndenial of service attack when phpMyAdmin is running with\n$cfg['AllowArbitraryServer']=true; (CVE-2016-9860).\n\nIn phpMyAdmin before 4.4.15.9, due to the limitation in URL matching, it\nwas possible to bypass the URL white-list protection (CVE-2016-9861).\n\nIn phpMyAdmin before 4.4.15.9, with a crafted username or a table name,\nit was possible to inject SQL statements in the tracking functionality\nthat would run with the privileges of the control user. This gives read\nand write access to the tables of the configuration storage database, and\nif the control user has the necessary privileges, read access to some\ntables of the mysql database (CVE-2016-9864).\n\nIn phpMyAdmin before 4.4.15.9, due to a bug in serialized string parsing,\nit was possible to bypass the protection offered by PMA_safeUnserialize()\nfunction (CVE-2016-9865).\n\nIn phpMyAdmin before 4.4.15.9, when the arg_separator is different from\nits default value of &, the token was not properly stripped from the\nreturn URL of the preference import action (CVE-2016-9866).\n", "related": [ "CVE-2016-9847", "CVE-2016-9848", "CVE-2016-9849", "CVE-2016-9850", "CVE-2016-9851", "CVE-2016-9852", "CVE-2016-9853", "CVE-2016-9854", "CVE-2016-9855", "CVE-2016-9856", "CVE-2016-9857", "CVE-2016-9858", "CVE-2016-9859", "CVE-2016-9860", "CVE-2016-9861", "CVE-2016-9864", "CVE-2016-9865", "CVE-2016-9866" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2016-0416.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=19841" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-58/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-59/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-60/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-61/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-62/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-63/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-64/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-65/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-66/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-69/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-70/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/security/PMASA-2016-71/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/files/4.4.15.9/" }, { "type": "REPORT", "url": "https://www.phpmyadmin.net/news/2016/11/25/phpmyadmin-401018-44159-and-465-are-released/" } ], "affected": [ { "package": { "ecosystem": "Mageia:5", "name": "phpmyadmin", "purl": "pkg:rpm/mageia/phpmyadmin?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.4.15.9-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }