aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authormatthew <matthew@FreeBSD.org>2016-08-17 19:02:43 +0800
committermatthew <matthew@FreeBSD.org>2016-08-17 19:02:43 +0800
commita816fb8744ab7dfd9170db4ae670b1a6d04bb2e3 (patch)
tree79d1594e20c8567e3a1b28ede7d29e511a3b57df /security
parent92a06a8038a415296eee1d6731e48c8ed11e3a77 (diff)
downloadfreebsd-ports-gnome-a816fb8744ab7dfd9170db4ae670b1a6d04bb2e3.tar.gz
freebsd-ports-gnome-a816fb8744ab7dfd9170db4ae670b1a6d04bb2e3.tar.zst
freebsd-ports-gnome-a816fb8744ab7dfd9170db4ae670b1a6d04bb2e3.zip
Document 26 new security advisories from phpmadmin. Some of these are
described as 'critical'.
Diffstat (limited to 'security')
-rw-r--r--security/vuxml/vuln.xml482
1 files changed, 482 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index d070a71709e5..7891e654c756 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,488 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="ef70b201-645d-11e6-9cdc-6805ca0b3d42">
+ <topic>phpmyadmin -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>phpmyadmin</name>
+ <range><ge>4.6.0</ge><lt>4.6.4</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The phpmyadmin development team reports:</p>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/">
+ <h3>Summary</h3>
+ <p>Weakness with cookie encryption</p>
+ <h3>Description</h3>
+ <p>A pair of vulnerabilities were found affecting the
+ way cookies are stored.</p>
+ <ul>
+ <li>The decryption of the username/password is
+ vulnerable to a padding oracle attack. The can allow
+ an attacker who has access to a user's browser cookie
+ file to decrypt the username and password.</li>
+ <li>A vulnerability was found where the same
+ initialization vector (IV) is used to hash the
+ username and password stored in the phpMyAdmin
+ cookie. If a user has the same password as their
+ username, an attacker who examines the browser cookie
+ can see that they are the but the attacker can not
+ directly decode these values from the cookie as it is
+ still hashed.</li>
+ </ul>
+ <h3>Severity</h3>
+ <p>We consider this to be critical.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/">
+ <h3>Summary</h3>
+ <p>Multiple XSS vulnerabilities</p>
+ <h3>Description</h3>
+ <p>Multiple vulnerabilities have been discovered in the
+ following areas of phpMyAdmin:</p>
+ <ul>
+ <li>Zoom search: Specially crafted column content can
+ be used to trigger an XSS attack</li>
+ <li>GIS editor: Certain fields in the graphical GIS
+ editor at not properly escaped and can be used to
+ trigger an XSS attack</li>
+ <li>Relation view</li>
+ <li>The following Transformations:
+ <ul>
+ <li>Formatted</li>
+ <li>Imagelink</li>
+ <li>JPEG: Upload</li>
+ <li>RegexValidation</li>
+ <li>JPEG inline</li>
+ <li>PNG inline</li>
+ <li>transformation wrapper</li>
+ </ul>
+ </li>
+ <li>XML export</li>
+ <li>MediaWiki export</li>
+ <li>Designer</li>
+ <li>When the MySQL server is running with a
+ specially-crafted <code>log_bin</code> directive</li>
+ <li>Database tab</li>
+ <li>Replication feature</li>
+ <li>Database search</li>
+ </ul>
+ <h3>Severity</h3>
+ <p>We consider these vulnerabilities to be of
+ moderate severity.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/">
+ <h3>Summary</h3>
+ <p>Multiple XSS vulnerabilities</p>
+ <h3>Description</h3>
+ <p>XSS vulnerabilities were discovered in:</p>
+ <ul>
+ <li>The database privilege check</li>
+ <li>The "Remove partitioning" functionality</li>
+ </ul>
+ <p>Specially crafted database names can trigger the XSS
+ attack.</p>
+ <h3>Severity</h3>
+ <p>We consider these vulnerabilities to be of moderate
+ severity.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/">
+ <h3>Summary</h3>
+ <p>PHP code injection</p>
+ <h3>Description</h3>
+ <p>A vulnerability was found where a specially crafted
+ database name could be used to run arbitrary PHP
+ commands through the array export feature</p>
+ <h3>Severity</h3>
+ <p>We consider these vulnerabilities to be of
+ moderate severity.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/">
+ <h3>Summary</h3>
+ <p>Full path disclosure</p>
+ <h3>Description</h3>
+ <p>A full path disclosure vulnerability was discovered
+ where a user can trigger a particular error in the
+ export mechanism to discover the full path of phpMyAdmin
+ on the disk.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be
+ non-critical.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/">
+ <h3>Summary</h3>
+ <p>SQL injection attack</p>
+ <h3>Description</h3>
+ <p>A vulnerability was reported where a specially
+ crafted database and/or table name can be used to
+ trigger an SQL injection attack through the export
+ functionality.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/">
+ <h3>Summary</h3>
+ <p>Local file exposure</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where a user can
+ exploit the LOAD LOCAL INFILE functionality to expose
+ files on the server to the database system.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/">
+ <h3>Summary</h3>
+ <p>Local file exposure through symlinks with
+ UploadDir</p>
+ <h3>Description</h3>
+ <p>A vulnerability was found where a user can
+ specially craft a symlink on disk, to a file which
+ phpMyAdmin is permitted to read but the user is not,
+ which phpMyAdmin will then expose to the user.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious,
+ however due to the mitigation factors the
+ default state is not vulnerable.</p>
+ <h3>Mitigation factor</h3>
+ <p>1) The installation must be run with UploadDir configured
+ (not the default) 2) The user must be able to create a
+ symlink in the UploadDir 3) The user running the phpMyAdmin
+ application must be able to read the file</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/">
+ <h3>Summary</h3>
+ <p>Path traversal with SaveDir and UploadDir</p>
+ <h3>Description</h3>
+ <p>A vulnerability was reported with the <code>%u</code>
+ username replacement functionality of the SaveDir and
+ UploadDir features. When the username substitution is
+ configured, a specially-crafted user name can be used to
+ circumvent restrictions to traverse the file system.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious,
+ however due to the mitigation factors the default
+ state is not vulnerable.</p>
+ <h3>Mitigation factor</h3>
+ <p>1) A system must be configured with the %u username
+ replacement, such as `$cfg['SaveDir'] =
+ 'SaveDir_%u';` 2) The user must be able to create a
+ specially-crafted MySQL user, including the `/.` sequence of
+ characters, such as `/../../`</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/">
+ <h3>Summary</h3>
+ <p>Multiple XSS vulnerabilities</p>
+ <h3>Description</h3>
+ <p>Multiple XSS vulnerabilities were found in the following
+ areas:</p>
+ <ul>
+ <li>Navigation pane and database/table hiding
+ feature. A specially-crafted database name can be used
+ to trigger an XSS attack.</li>
+ <li>The "Tracking" feature. A specially-crafted query
+ can be used to trigger an XSS attack.</li>
+ <li>GIS visualization feature. </li>
+ </ul>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be non-critical.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/">
+ <h3>Summary</h3>
+ <p>SQL injection attack</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered in the following
+ features where a user can execute an SQL injection
+ attack against the account of the control user:
+ <em>User group</em> Designer</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious.</p>
+ <h3>Mitigation factor</h3>
+ <p>The server must have a control user account created in
+ MySQL and configured in phpMyAdmin; installations without a
+ control user are not vulnerable.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/">
+ <h3>Summary</h3>
+ <p>SQL injection attack</p>
+ <h3>Description</h3>
+ <p>A vulnerability was reported where a specially
+ crafted database and/or table name can be used to
+ trigger an SQL injection attack through the export
+ functionality.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/">
+ <h3>Summary</h3>
+ <p>Denial of service (DOS) attack in transformation
+ feature</p>
+ <h3>Description</h3>
+ <p>A vulnerability was found in the transformation feature
+ allowing a user to trigger a denial-of-service (DOS) attack
+ against the server.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be non-critical</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/">
+ <h3>Summary</h3>
+ <p>SQL injection attack as control user</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered in the user interface
+ preference feature where a user can execute an SQL injection
+ attack against the account of the control user.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious.</p>
+ <h3>Mitigation factor</h3>
+ <p>The server must have a control user account created in
+ MySQL and configured in phpMyAdmin; installations without a
+ control user are not vulnerable.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/">
+ <h3>Summary</h3>
+ <p>Unvalidated data passed to unserialize()</p>
+ <h3>Description</h3>
+ <p>A vulnerability was reported where some data is passed to
+ the PHP <code>unserialize()</code> function without
+ verification that it's valid serialized data.</p>
+ <p>Due to how the <a href="https://secure.php.net/unserialize">PHP function</a>
+ operates,</p>
+ <blockquote>
+ <p>Unserialization can result in code being loaded and
+ executed due to object instantiation and autoloading, and
+ a malicious user may be able to exploit this.</p>
+ </blockquote>
+ <p>Therefore, a malicious user may be able to manipulate the
+ stored data in a way to exploit this weakness.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be moderately
+ severe.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/">
+ <h3>Summary</h3>
+ <p>DOS attack with forced persistent connections</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where an unauthenticated
+ user is able to execute a denial-of-service (DOS) attack by
+ forcing persistent connections when phpMyAdmin is running
+ with <code>$cfg['AllowArbitraryServer']=true;</code>.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be critical, although
+ note that phpMyAdmin is not vulnerable by default.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/">
+ <h3>Summary</h3>
+ <p>Denial of service (DOS) attack by for loops</p>
+ <h3>Description</h3>
+ <p>A vulnerability has been reported where a malicious
+ authorized user can cause a denial-of-service (DOS) attack
+ on a server by passing large values to a loop.</p>
+ <h3>Severity</h3>
+ <p>We consider this issue to be of moderate severity.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/">
+ <h3>Summary</h3>
+ <p>IPv6 and proxy server IP-based authentication rule
+ circumvention</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where, under certain
+ circumstances, it may be possible to circumvent the
+ phpMyAdmin IP-based authentication rules.</p>
+ <p>When phpMyAdmin is used with IPv6 in a proxy server
+ environment, and the proxy server is in the allowed range
+ but the attacking computer is not allowed, this
+ vulnerability can allow the attacking computer to connect
+ despite the IP rules.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious</p>
+ <h3>Mitigation factor</h3>
+ <p>* The phpMyAdmin installation must be running with
+ IP-based allow/deny rules * The phpMyAdmin installation must
+ be running behind a proxy server (or proxy servers) where
+ the proxy server is "allowed" and the attacker is
+ "denied" * The connection between the proxy server
+ and phpMyAdmin must be via IPv6</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/">
+ <h3>Summary</h3>
+ <p>Detect if user is logged in</p>
+ <h3>Description</h3>
+ <p>A vulnerability was reported where an attacker can
+ determine whether a user is logged in to phpMyAdmin.</p>
+ <p>The user's session, username, and password are not
+ compromised by this vulnerability.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be non-critical.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/">
+ <h3>Summary</h3>
+ <p>Bypass URL redirect protection</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where an attacker could
+ redirect a user to a malicious web page.</p>
+ <h3>Severity</h3>
+ <p>We consider this to be of moderate severity</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/">
+ <h3>Summary</h3>
+ <p>Referrer leak in url.php</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where an attacker can
+ determine the phpMyAdmin host location through the file
+ <code>url.php</code>.</p>
+ <h3>Severity</h3>
+ <p>We consider this to be of moderate severity.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/">
+ <h3>Summary</h3>
+ <p>Reflected File Download attack</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where an attacker may be
+ able to trigger a user to download a specially crafted
+ malicious SVG file.</p>
+ <h3>Severity</h3>
+ <p>We consider this issue to be of moderate severity.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/">
+ <h3>Summary</h3>
+ <p>ArbitraryServerRegexp bypass</p>
+ <h3>Description</h3>
+ <p>A vulnerability was reported with the
+ <code>$cfg['ArbitraryServerRegexp']</code> configuration
+ directive. An attacker could reuse certain cookie values in
+ a way of bypassing the servers defined by
+ <code>ArbitraryServerRegexp</code>.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be critical.</p>
+ <h3>Mitigation factor</h3>
+ <p>Only servers using
+ `$cfg['ArbitraryServerRegexp']` are vulnerable to
+ this attack.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/">
+ <h3>Summary</h3>
+ <p>Denial of service (DOS) attack by changing password to a
+ very long string</p>
+ <h3>Description</h3>
+ <p>An authenticated user can trigger a denial-of-service
+ (DOS) attack by entering a very long password at the change
+ password dialog.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be serious.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/">
+ <h3>Summary</h3>
+ <p>Remote code execution vulnerability when run as CGI</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where a user can execute a
+ remote code execution attack against a server when
+ phpMyAdmin is being run as a CGI application. Under certain
+ server configurations, a user can pass a query string which
+ is executed as a command-line argument by the file
+ <code>generator_plugin.sh</code>.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be critical.</p>
+ <h3>Mitigation factor</h3>
+ <p>The file
+ `/libraries/plugins/transformations/generator_plugin.sh` may
+ be removed. Under certain server configurations, it may be
+ sufficient to remove execute permissions for this file.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/">
+ <h3>Summary</h3>
+ <p>Denial of service (DOS) attack with dbase extension</p>
+ <h3>Description</h3>
+ <p>A flaw was discovered where, under certain conditions,
+ phpMyAdmin may not delete temporary files during the import
+ of ESRI files.</p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be non-critical.</p>
+ <h3>Mitigation factor</h3>
+ <p>This vulnerability only exists when PHP is running with
+ the dbase extension, which is not shipped by default, not
+ available in most Linux distributions, and doesn't
+ compile with PHP7.</p>
+ </blockquote>
+ <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/">
+ <h3>Summary</h3>
+ <p>Remote code execution vulnerability when PHP is running
+ with dbase extension</p>
+ <h3>Description</h3>
+ <p>A vulnerability was discovered where phpMyAdmin can be
+ used to trigger a remote code execution attack against
+ certain PHP installations. </p>
+ <h3>Severity</h3>
+ <p>We consider this vulnerability to be critical.</p>
+ <h3>Mitigation factor</h3>
+ <p>This vulnerability only exists when PHP is running with
+ the dbase extension, which is not shipped by default, not
+ available in most Linux distributions, and doesn't
+ compile with PHP7.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-29/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-30/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-31/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-32/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-33/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-34/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-35/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-36/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-37/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-38/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-39/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-40/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-41/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-42/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-43/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-45/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-46/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-47/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-48/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-49/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-50/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-51/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-52/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-53/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-54/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-55/</url>
+ <url>https://www.phpmyadmin.net/security/PMASA-2016-56/</url>
+ <cvename>CVE-2016-6606</cvename>
+ <cvename>CVE-2016-6607</cvename>
+ <cvename>CVE-2016-6608</cvename>
+ <cvename>CVE-2016-6609</cvename>
+ <cvename>CVE-2016-6610</cvename>
+ <cvename>CVE-2016-6611</cvename>
+ <cvename>CVE-2016-6612</cvename>
+ <cvename>CVE-2016-6613</cvename>
+ <cvename>CVE-2016-6614</cvename>
+ <cvename>CVE-2016-6615</cvename>
+ <cvename>CVE-2016-6616</cvename>
+ <cvename>CVE-2016-6617</cvename>
+ <cvename>CVE-2016-6618</cvename>
+ <cvename>CVE-2016-6619</cvename>
+ <cvename>CVE-2016-6620</cvename>
+ <cvename>CVE-2016-6622</cvename>
+ <cvename>CVE-2016-6623</cvename>
+ <cvename>CVE-2016-6624</cvename>
+ <cvename>CVE-2016-6625</cvename>
+ <cvename>CVE-2016-6626</cvename>
+ <cvename>CVE-2016-6627</cvename>
+ <cvename>CVE-2016-6628</cvename>
+ <cvename>CVE-2016-6629</cvename>
+ <cvename>CVE-2016-6630</cvename>
+ <cvename>CVE-2016-6631</cvename>
+ <cvename>CVE-2016-6632</cvename>
+ <cvename>CVE-2016-6633</cvename>
+ </references>
+ <dates>
+ <discovery>2016-08-17</discovery>
+ <entry>2016-08-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="f7dd2d09-625e-11e6-828b-fcaa14edc6a6">
<topic>TeamSpeak Server 3 -- Multiple vulnerabilities including Remote Code Execution</topic>
<affects>
generated by cgit (git 2.34.1) at 2024-12-12 19:17:38 +0800