FreeBSD: phpmyadmin -- multiple vulnerabilities (Multiple CVEs)

The phpmyadmin development team reports:

Summary
Weakness with cookie encryption
Description
A pair of vulnerabilities were found affecting the
way cookies are stored.

The decryption of the username/password is
vulnerable to a padding oracle attack. The can allow
an attacker who has access to a user's browser cookie
file to decrypt the username and password.
A vulnerability was found where the same
initialization vector (IV) is used to hash the
username and password stored in the phpMyAdmin
cookie. If a user has the same password as their
username, an attacker who examines the browser cookie
can see that they are the but the attacker can not
directly decode these values from the cookie as it is
still hashed.

Severity
We consider this to be critical.

Summary
Multiple XSS vulnerabilities
Description
Multiple vulnerabilities have been discovered in the
following areas of phpMyAdmin:

Zoom search: Specially crafted column content can
be used to trigger an XSS attack
GIS editor: Certain fields in the graphical GIS
editor at not properly escaped and can be used to
trigger an XSS attack
Relation view
The following Transformations:

Formatted
Imagelink
JPEG: Upload
RegexValidation
JPEG inline
PNG inline
transformation wrapper

XML export
MediaWiki export
Designer
When the MySQL server is running with a
specially-crafted log_bin directive
Database tab
Replication feature
Database search

Severity
We consider these vulnerabilities to be of
moderate severity.

Summary
Multiple XSS vulnerabilities
Description
XSS vulnerabilities were discovered in:

The database privilege check
The "Remove partitioning" functionality

Specially crafted database names can trigger the XSS
attack.
Severity
We consider these vulnerabilities to be of moderate
severity.

Summary
PHP code injection
Description
A vulnerability was found where a specially crafted
database name could be used to run arbitrary PHP
commands through the array export feature
Severity
We consider these vulnerabilities to be of
moderate severity.

Summary
Full path disclosure
Description
A full path disclosure vulnerability was discovered
where a user can trigger a particular error in the
export mechanism to discover the full path of phpMyAdmin
on the disk.
Severity
We consider this vulnerability to be
non-critical.

Summary
SQL injection attack
Description
A vulnerability was reported where a specially
crafted database and/or table name can be used to
trigger an SQL injection attack through the export
functionality.
Severity
We consider this vulnerability to be serious

Summary
Local file exposure
Description
A vulnerability was discovered where a user can
exploit the LOAD LOCAL INFILE functionality to expose
files on the server to the database system.
Severity
We consider this vulnerability to be serious.

Summary
Local file exposure through symlinks with
UploadDir
Description
A vulnerability was found where a user can
specially craft a symlink on disk, to a file which
phpMyAdmin is permitted to read but the user is not,
which phpMyAdmin will then expose to the user.
Severity
We consider this vulnerability to be serious,
however due to the mitigation factors the
default state is not vulnerable.
Mitigation factor
1) The installation must be run with UploadDir configured
(not the default) 2) The user must be able to create a
symlink in the UploadDir 3) The user running the phpMyAdmin
application must be able to read the file

Summary
Path traversal with SaveDir and UploadDir
Description
A vulnerability was reported with the %u
username replacement functionality of the SaveDir and
UploadDir features. When the username substitution is
configured, a specially-crafted user name can be used to
circumvent restrictions to traverse the file system.
Severity
We consider this vulnerability to be serious,
however due to the mitigation factors the default
state is not vulnerable.
Mitigation factor
1) A system must be configured with the %u username
replacement, such as `$cfg['SaveDir'] =
'SaveDir_%u';` 2) The user must be able to create a
specially-crafted MySQL user, including the `/.` sequence of
characters, such as `/../../`

Summary
Multiple XSS vulnerabilities
Description
Multiple XSS vulnerabilities were found in the following
areas:

Navigation pane and database/table hiding
feature. A specially-crafted database name can be used
to trigger an XSS attack.
The "Tracking" feature. A specially-crafted query
can be used to trigger an XSS attack.
GIS visualization feature.

Severity
We consider this vulnerability to be non-critical.

Summary
SQL injection attack
Description
A vulnerability was discovered in the following
features where a user can execute an SQL injection
attack against the account of the control user:
User group Designer
Severity
We consider this vulnerability to be serious.
Mitigation factor
The server must have a control user account created in
MySQL and configured in phpMyAdmin; installations without a
control user are not vulnerable.

Summary
SQL injection attack
Description
A vulnerability was reported where a specially
crafted database and/or table name can be used to
trigger an SQL injection attack through the export
functionality.
Severity
We consider this vulnerability to be serious

Summary
Denial of service (DOS) attack in transformation
feature
Description
A vulnerability was found in the transformation feature
allowing a user to trigger a denial-of-service (DOS) attack
against the server.
Severity
We consider this vulnerability to be non-critical

Summary
SQL injection attack as control user
Description
A vulnerability was discovered in the user interface
preference feature where a user can execute an SQL injection
attack against the account of the control user.
Severity
We consider this vulnerability to be serious.
Mitigation factor
The server must have a control user account created in
MySQL and configured in phpMyAdmin; installations without a
control user are not vulnerable.

Summary
Unvalidated data passed to unserialize()
Description
A vulnerability was reported where some data is passed to
the PHP unserialize() function without
verification that it's valid serialized data.
Due to how the PHP function
operates,

Unserialization can result in code being loaded and
executed due to object instantiation and autoloading, and
a malicious user may be able to exploit this.

Therefore, a malicious user may be able to manipulate the
stored data in a way to exploit this weakness.
Severity
We consider this vulnerability to be moderately
severe.

Summary
DOS attack with forced persistent connections
Description
A vulnerability was discovered where an unauthenticated
user is able to execute a denial-of-service (DOS) attack by
forcing persistent connections when phpMyAdmin is running
with $cfg['AllowArbitraryServer']=true;.
Severity
We consider this vulnerability to be critical, although
note that phpMyAdmin is not vulnerable by default.

Summary
Denial of service (DOS) attack by for loops
Description
A vulnerability has been reported where a malicious
authorized user can cause a denial-of-service (DOS) attack
on a server by passing large values to a loop.
Severity
We consider this issue to be of moderate severity.

Summary
IPv6 and proxy server IP-based authentication rule
circumvention
Description
A vulnerability was discovered where, under certain
circumstances, it may be possible to circumvent the
phpMyAdmin IP-based authentication rules.
When phpMyAdmin is used with IPv6 in a proxy server
environment, and the proxy server is in the allowed range
but the attacking computer is not allowed, this
vulnerability can allow the attacking computer to connect
despite the IP rules.
Severity
We consider this vulnerability to be serious
Mitigation factor
* The phpMyAdmin installation must be running with
IP-based allow/deny rules * The phpMyAdmin installation must
be running behind a proxy server (or proxy servers) where
the proxy server is "allowed" and the attacker is
"denied" * The connection between the proxy server
and phpMyAdmin must be via IPv6

Summary
Detect if user is logged in
Description
A vulnerability was reported where an attacker can
determine whether a user is logged in to phpMyAdmin.
The user's session, username, and password are not
compromised by this vulnerability.
Severity
We consider this vulnerability to be non-critical.

Summary
Bypass URL redirect protection
Description
A vulnerability was discovered where an attacker could
redirect a user to a malicious web page.
Severity
We consider this to be of moderate severity

Summary
Referrer leak in url.php
Description
A vulnerability was discovered where an attacker can
determine the phpMyAdmin host location through the file
url.php.
Severity
We consider this to be of moderate severity.

Summary
Reflected File Download attack
Description
A vulnerability was discovered where an attacker may be
able to trigger a user to download a specially crafted
malicious SVG file.
Severity
We consider this issue to be of moderate severity.

Summary
ArbitraryServerRegexp bypass
Description
A vulnerability was reported with the
$cfg['ArbitraryServerRegexp'] configuration
directive. An attacker could reuse certain cookie values in
a way of bypassing the servers defined by
ArbitraryServerRegexp.
Severity
We consider this vulnerability to be critical.
Mitigation factor
Only servers using
`$cfg['ArbitraryServerRegexp']` are vulnerable to
this attack.

Summary
Denial of service (DOS) attack by changing password to a
very long string
Description
An authenticated user can trigger a denial-of-service
(DOS) attack by entering a very long password at the change
password dialog.
Severity
We consider this vulnerability to be serious.

Summary
Remote code execution vulnerability when run as CGI
Description
A vulnerability was discovered where a user can execute a
remote code execution attack against a server when
phpMyAdmin is being run as a CGI application. Under certain
server configurations, a user can pass a query string which
is executed as a command-line argument by the file
generator_plugin.sh.
Severity
We consider this vulnerability to be critical.
Mitigation factor
The file
`/libraries/plugins/transformations/generator_plugin.sh` may
be removed. Under certain server configurations, it may be
sufficient to remove execute permissions for this file.

Summary
Denial of service (DOS) attack with dbase extension
Description
A flaw was discovered where, under certain conditions,
phpMyAdmin may not delete temporary files during the import
of ESRI files.
Severity
We consider this vulnerability to be non-critical.
Mitigation factor
This vulnerability only exists when PHP is running with
the dbase extension, which is not shipped by default, not
available in most Linux distributions, and doesn't
compile with PHP7.

Summary
Remote code execution vulnerability when PHP is running
with dbase extension
Description
A vulnerability was discovered where phpMyAdmin can be
used to trigger a remote code execution attack against
certain PHP installations.
Severity
We consider this vulnerability to be critical.
Mitigation factor
This vulnerability only exists when PHP is running with
the dbase extension, which is not shipped by default, not
available in most Linux distributions, and doesn't
compile with PHP7.