[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

December report

This month I had 10 hours and I spent my 10 hours on the following

* Researched, patched, and uploaded various security issues in phpmyadmin:
  * CVE-2016-4412 / PMASA-2016-57: A user can be tricked in to following a
    link leading to phpMyAdmin, which after authentication redirects to
    another malicious site.
  * CVE-2016-6626 / PMASA-2016-49: In the fix for PMASA-2016-57, we didn't
    have sufficient checking and was possible to bypass whitelist.
  * CVE-2016-9849 / PMASA-2016-60: Username deny rules bypass (AllowRoot &
    Others) by using Null Byte.
  * CVE-2016-9850 / PMASA-2016-61: Username matching for the allow/deny rules
    may result in wrong matches and detection of the username in the rule due
    to non-constant execution time.
  * CVE-2016-9861 / PMASA-2016-66: In the fix for PMASA-2016-49, we has buggy
    checks and was possible to bypass whitelist.
  * CVE-2016-9864 / PMASA-2016-69: Multiple SQL injection vulnerabilities.
  * CVE-2016-9865 / PMASA-2016-70: Due to a bug in serialized string parsing,
    it was possible to bypass the protection offered by PMA_safeUnserialize()

I also started investigating libphp-phpmailer CVE-2016-10033, however
this is going to require more time trying to understand the followup
patches that currently make no sense to
me. e.g. https://github.com/PHPMailer/PHPMailer/pull/930/files appears
to remove calls to escapeshellarg and escapeshellcmd which I thought
were added to solve the problem.

I anticipate not being able to work on LTS in January - due to buses
replacing trains and also LCA2017, so I will make myself inactive. I
expect to be back again for Febraury.
Brian May <brian@linuxpenguins.xyz>

Reply to: