[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security update of phpmyadmin for wheezy

Hi Thijs and LTS team

I have prepared a security update of phpmyadmin for wheezy.

The prepared packages are available here:

For more information see here:

The debdiff is available in the same place:

I have corrected the following problems by backporting the patches given by upstream (you can find the upstream reference in the patch file in the debdiff above):

 With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script.

 A vulnerability was reported where a specially crafted Transformation could be used to leak information including the authentication token. This could be used to direct a CSRF attack against a user.

I have also partially corrected CVE-2016-5733. I have corrected all parts that I could find as applicable.
 - [vulnerable code not present] A vulnerability was reported allowing a specially crafted table name to cause an XSS attack through the functionality to check database privileges.
 - [patched even though this really require root privileges to use] A vulnerability was reported allowing a specifically-configured MySQL server to execute an XSS attack. This particular attack requires configuring the MySQL server log_bin directive with the payload.
 - [patched partially, for the rest I can not see vulnerable code] Several XSS vulnerabilities were found with the Transformation feature
 - [vulnerable code not present] Several XSS vulnerabilities were found in AJAX error handling
 - [vulnerable code not present] Several XSS vulnerabilities were found in the Designer feature
 - [vulnerable code not present] An XSS vulnerability was found in the charts feature
 - [vulnerable code not present] An XSS vulnerability was found in the zoom search feature

I have also updated the security tracker based on the following findings.

CVE-2016-5703 PMASA-2016-19
 Vulnerable code not present.

CVE-2016-5704 PMASA-2016-20
 Vulnerable code not present.
CVE-2016-5705 PMASA-2016-21
 Vulnerable code not present.

CVE-2016-5706 PMASA-2016-22
 Vulnerable code not present.

CVE-2016-5732 PMASA-2016-25
 Vulnerable code not present.
CVE-2016-5734 PMASA-2016-27
 Vulnerable code present but the vulnerability is only possible to exploit using a php version that prior to the one that exists in wheezy. The same applies to jessie so I was kind enough to mark that too. I hope you do not mind.

I have regression tested the package but I have not explicitly tried to exploit the vulnerabilities.
Or rather I have tried some of it but I failed also with the old version so I guess it was not trivial to do.
In any case the corrected package seem to work find with basic operations like viewing and updating things.

If there are no objections I will upload the corrected package to wheezy-security in four days, that is on Thursday next week.

Best regards

// Ola

 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Folkebogatan 26          \
|  ola@inguza.com                      654 68 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: