ESB-2018.3839 - [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilities 2018-12-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3839
                        phpMyAdmin security updates
                             12 December 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           phpMyAdmin
Publisher:         phpMyAdmin
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-19970 CVE-2018-19969 CVE-2018-19968

Original Bulletin: 
   https://www.phpmyadmin.net/security/PMASA-2018-6/
   https://www.phpmyadmin.net/security/PMASA-2018-7/
   https://www.phpmyadmin.net/security/PMASA-2018-8/

Comment: This bulletin contains three (3) phpMyAdmin security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Announcement-ID: PMASA-2018-6
Date: 2018-12-07

Summary

Local file inclusion through transformation feature

Description

A flaw has been found where an attacker can exploit phpMyAdmin to leak the
contents of a local file. The attacker must have access to the phpMyAdmin
Configuration Storage tables, although these can easily be created in any
database to which the attacker has access. An attacker must have valid
credentials to log in to phpMyAdmin; this vulnerability does not allow an
attacker to circumvent the login system.

Severity

We consider this vulnerability to be severe.

Affected Versions

phpMyAdmin versions from at least 4.0 through 4.8.3 are affected

Solution

Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.

References

This vulnerability was reported by Daniel Le Gall from SCRT

Assigned CVE ids: CVE-2018-19968

CWE ids: CWE-661 CWE-98

Patches

The following commits have been made on the 4.8 branch to fix this issue:

  * 6a1ba61e29002f0305a9322a8af4eaaeb11c0732

More information

For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.

- --------------------------------------------------------------------------------

Announcement-ID: PMASA-2018-7
Date: 2018-12-07

Summary

XSRF/CSRF vulnerability in phpMyAdmin

Description

By deceiving a user to click on a crafted URL, it is possible to perform
harmful SQL operations such as renaming databases, creating new tables/
routines, deleting designer pages, adding/deleting users, updating user
passwords, killing SQL processes, etc.

Severity

We consider this vulnerability to be of moderate severity.

Affected Versions

phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 are affected.

Solution

Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.

References

Thanks to Daniel Le Gall from SCRT, Mustafa Hasan (@strukt93), SI9INT and
Prasetia Ari for reporting this vulnerability.

Assigned CVE ids: CVE-2018-19969

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made on the 4.8 branch to fix this issue:

  * f049c127ca21885ab0856a8c562ed1c74961bb5d
  * be0660e4c46a1f3f74d86bac41419d5804201502
  * 77ea7024bfa75659dea20dacb225f0d48414fd02
  * ad7f7fd80192bd9f7f22f4d8d9a8818dd69f3e0c
  * 5d781422fb9f0af54e9cf9c85371b4d8c02ac56d
  * d6e04ca09b205cbc1e00f26da9d1f3690287a4af
  * d9279982a9c24456c061ecc700f69610424e854e
  * 3ac68d2edaafea38c3c45e364933456540603c09
  * 98ef759676cfc60db56aff657d5f66f818780872
  * faced0a344a3e3c2cfe645d400fcddc54dcc7f4e
  * d0eede7c566d97f92b5fda1560fa07b583ffc0a4
  * 42561e689613e6712920bada4e2f957a96252f97
  * ca06ecc87681e7d547271fdbd06816a2bee9be80
  * 3d9ed655cc6107bd0e8e6d5f5a5f58d0fc791564
  * b72e55acf82a67fcb9d8eb341878f8e9fc7af295
  * 9219b28f474f032621b3cc827d12407673e47b08
  * 6c03ebad38a64ac1c53f9bae9e9c2d5e0d556bfd
  * 7d3f203131231d09a7485c38355f5cb546cbf897
  * 2a749337bf9e1319f5d0bc62aae3f79f8f9080d0
  * 35d87e607227c4ea0d1613ad39c5bca75b726fca
  * 80eaee9c0a1fadc4c7f7ab3838b3fe5eb15a7830
  * 259cbc6ab1d61afb3a657ad4a787eefe8278ec29
  * c1cdaac2f465dd6b9e17f9f35fd46861ad703a6d
  * 1edf1aced6ad963c9f282666150f7f36f1ca449e
  * bf3e6c3a77ff5d1fc2a15bba7f0a66e7fcb357e6
  * 827e4dcf2ce738d7b320682e97e29ad448f9147f
  * b4e1862740b3412aab2f7079649a705f317cb1b0
  * 5109c1787e111a87521db94c93d4cb2c46cc29f4
  * 88e162b651dfbd64c98ac40976023c4b7d1438bb
  * e7e7d56c759366c61824b67f48ec0ba4d5507105
  * 593b2571cd8ba5110cd39fee896ea172ca2c81d5
  * 737ac997f9271d15f08b20893c9174a312027b74
  * 0fe1a3bea88a553407930f83380b88d7591d2bdd
  * 79548c0dcfc185f7c31a0c527d952a2b14266ddf
  * 89db84213ba1b2b38387632c884c6fe64166f512
  * 30543ad81f5151d592e39e3075dd32a7487d8d9e
  * 0be9a53fcfd4131c8737f717371570402b292361
  * d01ece698a18624ede4bccffd81035da7c27b9a0
  * d1d90b59b28ab8be332e442df55864cb858e40dd
  * a98207c6de3bde433602273d1cccc7f2f99d7501
  * eb13c69f0db2b1158d4b36deef7544fa1a932505
  * 79fd80cef5da7f67eed01825b4d4b957d03acffd
  * 01e8064e3530a05d8d2975ad29fdd519a952e0ec
  * 34972f0132c6e04fc324ad422f2fc609df7a22ec
  * 6fd9bfb75b357e375c8992a8c9194411954a8427
  * c36592b4e8dfe6e5b2e7c9197c32abdf155df350
  * d745d1ce019bf1aa60f19e8ac993389adb81e3a9
  * d98b40281b0e8781918240b201b35758b474e595
  * e7f1e2697acace0d05356a943174cefeae1cf11e

More information

For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.

- --------------------------------------------------------------------------------

Announcement-ID: PMASA-2018-8
Date: 2018-12-07

Summary

XSS vulnerability in navigation tree

Description

A Cross-Site Scripting vulnerability was found in the navigation tree, where an
attacker can deliver a payload to a user through a specially-crafted database/
table name.

Severity

We consider this attack to be of moderate severity.

Mitigation factor

The stored XSS vulnerabilities can be triggered only by someone who logged in
to phpMyAdmin, as the usual token protection prevents non-logged-in users from
accessing the required forms.

Affected Versions

phpMyAdmin versions from at least 4.0 through 4.8.3 are affected

Solution

Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.

References

Thanks to YU-HSIANG HUANG (huang.yuhsiang.phone@gmail.com), YUNG-HAO TSENG, and
Eddie TC CHANG for reporting this vulnerability.

Assigned CVE ids: CVE-2018-19970

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made on the 4.8 branch to fix this issue:

  * b293ff5f234ef493336ed8638f623a12164d359e

More information

For further information and in case of questions, please contact the phpMyAdmin
team. Our website is phpmyadmin.net.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXBBTnGaOgq3Tt24GAQgAVxAAnofwNr+fjPtkMfuDr8rLC3KKsofVpff6
wnUkAfjqPgzelhxyYxoGYBu/1rWSCgZwJn9p046DAtBieZ55XhTtcaCMBpAWKI5H
UQlvd6rj1+3rRqgSvxU1GfG8Py4NR/HJJX9cTjMaXCkwQNaM0BU75jHbzPOZp6iW
Zx6lDWxzIiPqHj2uapt5eMFZsuyBYgko2lqWu8KpBZFjOyTJ8eqm+eKu51vUGAV2
v9diRDC1p1pm3eDhTNQDJrSL42qgpfUkNV6+uCG0YDiZnxjvV3WE7N6YxW/ywI48
haQMyjsziWhD32/SSYsYs92fv0/IWYM91qNaD34Bk+CL+fcoDqKrsaOIiIiho5X2
QI4oX+fPGTyg51TrKgJNQpFk1/27nadMFNUUMZypBwjOVdJsSKULVLc7WZuL6S5M
AHDLIxbbMBQWV8wWBgA5elnbAJaQRaAoT1ftfwjHozjoo00SW2nPeLTmCCzpfDuN
7NEEKa0OpnPXkXgO6QVEakEBsQCyZvz5vJCTSVNqfgu3zqQxNJ/c6EC4eYeO9Vyf
jOG8dWjXD5sfGBtVfyTl/pCv+0acReVQRXzoi50rOpMcdj1sbS5+nMuLfZBuHA8Q
Yztjq3jZ+cHpIObAmEEPDHySqoVzmqi9YuFfK2kRHA+hkLXo/a+NrnFOuQkl3Nsv
P9M64ZL0qsQ=
=DK8K
-----END PGP SIGNATURE-----

« Back to bulletins