copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1196 - [Win][UNIX/Linux] phpMyAdmin: Multiple vulnerabilities

Date: 21 July 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1196
        Multiple vulnerabilities have been identified in phpMyAdmin
                               21 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           phpMyAdmin
Publisher:         phpMyAdmin
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Scripting   -- Remote with User Interaction
                   Access Privileged Data -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-4987 CVE-2014-4986 CVE-2014-4955
                   CVE-2014-4954  

Original Bulletin: 
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php
   http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php

Comment: This bulletin contains four (4) phpMyAdmin security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

PMASA-2014-4

Announcement-ID: PMASA-2014-4

Date: 2014-07-17

Summary

Self-XSS due to unescaped HTML output in database structure page.

Description

With a crafted table comment, it is possible to trigger an XSS in database 
structure page.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can be triggered only by someone who is logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required page.

Affected Versions

Versions 4.2.x (prior to 4.2.6) are affected.

Solution

Upgrade to phpMyAdmin 4.2.6 or newer, or apply the patch listed below.

References

Thanks to Frans Rosn of detectify for reporting this vulnerability.

Assigned CVE ids: CVE-2014-4954

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

    57475371a5b515c83bfc1bb2efcdf3ddb14787ed

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- -------------------------------------------------------------------------------
PMASA-2014-5

Announcement-ID: PMASA-2014-5

Date: 2014-07-17

Summary

Self-XSS due to unescaped HTML output in database triggers page.

Description

When navigating into the database triggers page, it is possible to trigger an
XSS with a crafted trigger name.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can be triggered only by someone who is logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required page.

Affected Versions

Versions 4.0.x (prior to 4.0.10.1), 4.1.x (prior to 4.1.14.2) and 4.2.x (prior
to 4.2.6) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.1 or newer, or 4.1.14.2 or newer, or 4.2.6 or 
newer, or apply the patch listed below.

References

Thanks to Frans Rosn of detectify for reporting this vulnerability.

Assigned CVE ids: CVE-2014-4955

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

    10014d4dc596b9e3a491bf04f3e708cf1887d5e1

The following commits have been made on the 4.1 branch to fix this issue:

    511c596b175889b8e6b9c423e352ca64fa20af2b

The following commits have been made on the 4.0 branch to fix this issue:

    1b5592435617fa1b9dd68e2dc263de64c69fdc8a

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- -------------------------------------------------------------------------------
PMASA-2014-6

Announcement-ID: PMASA-2014-6

Date: 2014-07-17

Summary

Multiple XSS in AJAX confirmation messages.

Description

With a crafted column name it is possible to trigger an XSS when dropping the
column in table structure page. With a crafted table name it is possible to 
trigger an XSS when dropping or truncating the table in table operations page.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can be triggered only by someone who is logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required pages.

Affected Versions

Versions 4.0.x (prior to 4.0.10.1), 4.1.x (prior to 4.1.14.2) and 4.2.x (prior
to 4.2.6) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.1 or newer, or 4.1.14.2 or newer, or 4.2.6 or 
newer, or apply the patch listed below.

References

Assigned CVE ids: CVE-2014-4986

CWE ids: CWE-661 CWE-79

Patches

The following commits have been made to fix this issue:

    29a1f56495a7d1d98da31a614f23c0819a606a4d

The following commits have been made on the 4.1 branch to fix this issue:

    cd5697027a2ee7e1f7d7000b23be6051cdb0516c

The following commits have been made on the 4.0 branch to fix this issue:

    a92753bd65e1f8b72c46ed3dda6c362628e0daf7

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- -------------------------------------------------------------------------------
PMASA-2014-7

Announcement-ID: PMASA-2014-7

Date: 2014-07-17

Summary

Access for an unprivileged user to MySQL user list.

Description

An unpriviledged user could view the MySQL user list and manipulate the tabs 
displayed in phpMyAdmin for them.

Severity

We consider this vulnerability to be non critical.

Mitigation factor

This vulnerability can be triggered only by someone who is logged in to 
phpMyAdmin, as the usual token protection prevents non-logged-in users from 
accessing the required pages. Moreover, the configuration storage must be set
up for the user groups feature.

Affected Versions

Versions 4.1.x (prior to 4.1.14.2) and 4.2.x (prior to 4.2.6) are affected.

Solution

Upgrade to phpMyAdmin 4.1.14.2 or newer, or 4.2.6 or newer, or apply the patch
listed below.

References

Thanks to Chirayu Chiripal for reporting this vulnerability.

Assigned CVE ids: CVE-2014-4987

CWE ids: CWE-661

Patches

The following commits have been made to fix this issue:

    395265e9937beb21134626c01a21f44b28e712e5

The following commits have been made on the 4.1 branch to fix this issue:

    45550b8cff06ad128129020762f9b53d125a6934

More information

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is phpmyadmin.net.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8x3QhLndAQH1ShLAQJU/g//RgFCL8yIt/wGJyZzgK71fDt1CqPFaHNR
svPsDqdK+ONTHhJguCh4DoaMLnPFTuSMDEw+N6v+O5qNDGxweJR57IsDlNF0N8Xk
Es7RJcNFcb9yDpPD4RlMrlaxMfuArx70Vgrqre4RLC/Khxg1IC/HRUjk+qPGqX6J
N8PA2E3/ExYS33frF2WsNnLrUSnndJjdxJNl6a2bqmQ+THmy/6CWGvOmiyIRnCVb
uheuQSJR2W0Cc07OsgrQoUUydmAt1mjntSkCFImpDAyYsm9uLKXEgc9QFQFLPjH4
0vxk9tsDVOfQMzEDU9fWHujgox61aH606PxiJyDq9QpELRdxousRnGgffbc/d3qn
GNDVz+fpUqfYxLtGajyMLs7GSbOnoq3AHJBzJwADNDiUEF5Qp2/j8gqyi/lcki0N
776JmEisMo5uoIYK2ewD+cYRWEeVgeQDjXd0Z03UetduW+zbBCUTtxoDY1Kl07QY
4wq4zBHD53V+wdZm3e8bZq6F4xnsNBVb6mXSUebGQUPapuVPYKV0g2sp4ryBuG5g
tashubm879/B6EPMavvjCm7QOfB3PZ78Scs9iQhyGUJ7Y4ikmV0Sf6C1xryn5k7P
c/xR1D2KmsETUQ6NrYBnrr7BstuCAXdlHVXsb19lh4C4Jd3EhncT+TMVKGkdkPui
stZQaRi7KS8=
=4sBJ
-----END PGP SIGNATURE-----