FreeBSD: phpmyadmin -- multiple vulnerabilities (Multiple CVEs)

Description

The phpmyadmin development team reports: Summary Weakness with cookie encryption Description A pair of vulnerabilities were found affecting the way cookies are stored. The decryption of the username/password is vulnerable to a padding oracle attack. The can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. A vulnerability was found where the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the but the attacker can not directly decode these values from the cookie as it is still hashed. Severity We consider this to be critical. Summary Multiple XSS vulnerabilities Description Multiple vulnerabilities have been discovered in the following areas of phpMyAdmin: Zoom search: Specially crafted column content can be used to trigger an XSS attack GIS editor: Certain fields in the graphical GIS editor at not properly escaped and can be used to trigger an XSS attack Relation view The following Transformations: Formatted Imagelink JPEG: Upload RegexValidation JPEG inline PNG inline transformation wrapper XML export MediaWiki export Designer When the MySQL server is running with a specially-crafted log_bin directive Database tab Replication feature Database search Severity We consider these vulnerabilities to be of moderate severity. Summary Multiple XSS vulnerabilities Description XSS vulnerabilities were discovered in: The database privilege check The "Remove partitioning" functionality Specially crafted database names can trigger the XSS attack. Severity We consider these vulnerabilities to be of moderate severity. Summary PHP code injection Description A vulnerability was found where a specially crafted database name could be used to run arbitrary PHP commands through the array export feature Severity We consider these vulnerabilities to be of moderate severity. Summary Full path disclosure Description A full path disclosure vulnerability was discovered where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. Severity We consider this vulnerability to be non-critical. Summary SQL injection attack Description A vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. Severity We consider this vulnerability to be serious Summary Local file exposure Description A vulnerability was discovered where a user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system. Severity We consider this vulnerability to be serious. Summary Local file exposure through symlinks with UploadDir Description A vulnerability was found where a user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user. Severity We consider this vulnerability to be serious, however due to the mitigation factors the default state is not vulnerable. Mitigation factor 1) The installation must be run with UploadDir configured (not the default) 2) The user must be able to create a symlink in the UploadDir 3) The user running the phpMyAdmin application must be able to read the file Summary Path traversal with SaveDir and UploadDir Description A vulnerability was reported with the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system. Severity We consider this vulnerability to be serious, however due to the mitigation factors the default state is not vulnerable. Mitigation factor 1) A system must be configured with the %u username replacement, such as `$cfg['SaveDir'] = 'SaveDir_%u';` 2) The user must be able to create a specially-crafted MySQL user, including the `/.` sequence of characters, such as `/../../` Summary Multiple XSS vulnerabilities Description Multiple XSS vulnerabilities were found in the following areas: Navigation pane and database/table hiding feature. A specially-crafted database name can be used to trigger an XSS attack. The "Tracking" feature. A specially-crafted query can be used to trigger an XSS attack. GIS visualization feature. Severity We consider this vulnerability to be non-critical. Summary SQL injection attack Description A vulnerability was discovered in the following features where a user can execute an SQL injection attack against the account of the control user: User group Designer Severity We consider this vulnerability to be serious. Mitigation factor The server must have a control user account created in MySQL and configured in phpMyAdmin; installations without a control user are not vulnerable. Summary SQL injection attack Description A vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. Severity We consider this vulnerability to be serious Summary Denial of service (DOS) attack in transformation feature Description A vulnerability was found in the transformation feature allowing a user to trigger a denial-of-service (DOS) attack against the server. Severity We consider this vulnerability to be non-critical Summary SQL injection attack as control user Description A vulnerability was discovered in the user interface preference feature where a user can execute an SQL injection attack against the account of the control user. Severity We consider this vulnerability to be serious. Mitigation factor The server must have a control user account created in MySQL and configured in phpMyAdmin; installations without a control user are not vulnerable. Summary Unvalidated data passed to unserialize() Description A vulnerability was reported where some data is passed to the PHP unserialize() function without verification that it's valid serialized data. Due to how the PHP function operates, Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Therefore, a malicious user may be able to manipulate the stored data in a way to exploit this weakness. Severity We consider this vulnerability to be moderately severe. Summary DOS attack with forced persistent connections Description A vulnerability was discovered where an unauthenticated user is able to execute a denial-of-service (DOS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true;. Severity We consider this vulnerability to be critical, although note that phpMyAdmin is not vulnerable by default. Summary Denial of service (DOS) attack by for loops Description A vulnerability has been reported where a malicious authorized user can cause a denial-of-service (DOS) attack on a server by passing large values to a loop. Severity We consider this issue to be of moderate severity. Summary IPv6 and proxy server IP-based authentication rule circumvention Description A vulnerability was discovered where, under certain circumstances, it may be possible to circumvent the phpMyAdmin IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules. Severity We consider this vulnerability to be serious Mitigation factor * The phpMyAdmin installation must be running with IP-based allow/deny rules * The phpMyAdmin installation must be running behind a proxy server (or proxy servers) where the proxy server is "allowed" and the attacker is "denied" * The connection between the proxy server and phpMyAdmin must be via IPv6 Summary Detect if user is logged in Description A vulnerability was reported where an attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. Severity We consider this vulnerability to be non-critical. Summary Bypass URL redirect protection Description A vulnerability was discovered where an attacker could redirect a user to a malicious web page. Severity We consider this to be of moderate severity Summary Referrer leak in url.php Description A vulnerability was discovered where an attacker can determine the phpMyAdmin host location through the file url.php. Severity We consider this to be of moderate severity. Summary Reflected File Download attack Description A vulnerability was discovered where an attacker may be able to trigger a user to download a specially crafted malicious SVG file. Severity We consider this issue to be of moderate severity. Summary ArbitraryServerRegexp bypass Description A vulnerability was reported with the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. Severity We consider this vulnerability to be critical. Mitigation factor Only servers using `$cfg['ArbitraryServerRegexp']` are vulnerable to this attack. Summary Denial of service (DOS) attack by changing password to a very long string Description An authenticated user can trigger a denial-of-service (DOS) attack by entering a very long password at the change password dialog. Severity We consider this vulnerability to be serious. Summary Remote code execution vulnerability when run as CGI Description A vulnerability was discovered where a user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh. Severity We consider this vulnerability to be critical. Mitigation factor The file `/libraries/plugins/transformations/generator_plugin.sh` may be removed. Under certain server configurations, it may be sufficient to remove execute permissions for this file. Summary Denial of service (DOS) attack with dbase extension Description A flaw was discovered where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. Severity We consider this vulnerability to be non-critical. Mitigation factor This vulnerability only exists when PHP is running with the dbase extension, which is not shipped by default, not available in most Linux distributions, and doesn't compile with PHP7. Summary Remote code execution vulnerability when PHP is running with dbase extension Description A vulnerability was discovered where phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations. Severity We consider this vulnerability to be critical. Mitigation factor This vulnerability only exists when PHP is running with the dbase extension, which is not shipped by default, not available in most Linux distributions, and doesn't compile with PHP7.