Security update of phpmyadmin for wheezy
Hi Thijs and LTS team
I have prepared a security update of phpmyadmin for wheezy.
The prepared packages are available here:
http://apt.inguza.net/wheezy-security/phpmyadmin
For more information see here:
https://security-tracker.debian.org/tracker/source-package/phpmyadmin
The debdiff is available in the same place:
http://apt.inguza.net/wheezy-security/phpmyadmin/phpmyadmin.debdiff
I have corrected the following problems by backporting the patches
given by upstream (you can find the upstream reference in the patch
file in the debdiff above).
------------
CVS-2016-6606
A pair of vulnerabilities were found affecting the way cookies are stored.
The decryption of the username/password is vulnerable to a padding
oracle attack. The can allow an attacker who has access to a user's
browser cookie file to decrypt the username and password.
A vulnerability was found where the same initialization vector (IV) is
used to hash the username and password stored in the phpMyAdmin
cookie. If a user has the same password as their username, an attacker
who examines the browser cookie can see that they are the same — but
the attacker can not directly decode these values from the cookie as
it is still hashed.
CVE-2016-6607
XSS in replication feature
CVE-2016-6609
A vulnerability was found where a specially crafted database name
could be used to run arbitrary PHP commands through the array export
feature.
CVE-2016-6611
A vulnerability was reported where a specially crafted database and/or
table name can be used to trigger an SQL injection attack through the
export functionality.
CVE-2016-6612
A vulnerability was discovered where a user can exploit the LOAD LOCAL
INFILE functionality to expose files on the server to the database
system.
CVE-2016-6613
A vulnerability was found where a user can specially craft a symlink
on disk, to a file which phpMyAdmin is permitted to read but the user
is not, which phpMyAdmin will then expose to the user.
CVE-2016-6614
A vulnerability was reported with the %u username replacement
functionality of the SaveDir and UploadDir features. When the username
substitution is configured, a specially-crafted user name can be used
to circumvent restrictions to traverse the file system.
CVE-2016-6620
A vulnerability was reported where some data is passed to the PHP
unserialize() function without verification that it's valid serialized
data. Due to how the PHP function operates, unserialization can result
in code being loaded and executed due to object instantiation and
autoloading, and a malicious user may be able to exploit this.
Therefore, a malicious user may be able to manipulate the stored data
in a way to exploit this weakness.
CVE-2016-6622
A vulnerability was discovered where an unauthenticated user is able
to execute a denial-of-service (DOS) attack by forcing persistent
connections when phpMyAdmin is running with
$cfg['AllowArbitraryServer']=true;.
CVE-2016-6623
A vulnerability has been reported where a malicious authorized user
can cause a denial-of-service (DOS) attack on a server by passing
large values to a loop.
CVE-2016-6624
A vulnerability was discovered where, under certain circumstances, it
may be possible to circumvent the phpMyAdmin IP-based authentication
rules.
When phpMyAdmin is used with IPv6 in a proxy server environment, and
the proxy server is in the allowed range but the attacking computer is
not allowed, this vulnerability can allow the attacking computer to
connect despite the IP rules.
CVE-2016-6630
An authenticated user can trigger a denial-of-service (DOS) attack by
entering a very long password at the change password dialog.
CVE-2016-6631
A vulnerability was discovered where a user can execute a remote code
execution attack against a server when phpMyAdmin is being run as a
CGI application. Under certain server configurations, a user can pass
a query string which is executed as a command-line argument by the
file generator_plugin.sh.
------------
In addition to the above I have marked a few CVEs as not vulnerable or
not worth the effort to update because the severity of the issue is
low.
CVE-2016-6610 Vulnerable code not present
CVE-2016-6615 Vulnerable code not present
CVE-2016-6618 Vulnerable code not present
CVE-2016-6619 Vulnerable code not present
CVE-2016-6626 Vulnerable code not present. However I'm not 100% sure
about this one.
CVE-2016-6628 Vulnerable code not present
CVE-2016-6629 Vulnerable code not present
CVE-2016-6632 Vulnerable code not present
CVE-2016-6625 Not critical. Marked as no-dsa.
CVE-2016-6627 Not critical. Marked as no-dsa.
Please let me know if you think I have made an error in the analysis of this.
There is also one CVE (CVE-2016-6621) that we do not fully know
whether it is solved or not. I have not made a specific fix in this
upload. Salvatore is involved in this investigation too.
I have regression tested the package but I have not explicitly tried
to exploit the vulnerabilities yet. I will only try to exploit the
most important ones. I have checked that some of them actually give a
different output which means that they should be fixed. Some of the
issues were simple to verify by desk-check (they must have been found
using desk-check too).
In any case the corrected package seem to work find with basic
operations like viewing and updating things.
If there are no objections I will upload the corrected package to
wheezy-security in three days, that is on Saturday this week.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: