This month I had 10 hours and I spent my 10 hours on the following
* Researched, patched, and uploaded various security issues in phpmyadmin:
* CVE-2016-4412 / PMASA-2016-57: A user can be tricked in to following a
link leading to phpMyAdmin, which after authentication redirects to
another malicious site.
* CVE-2016-6626 / PMASA-2016-49: In the fix for PMASA-2016-57, we didn't
have sufficient checking and was possible to bypass whitelist.
* CVE-2016-9849 / PMASA-2016-60: Username deny rules bypass (AllowRoot &
Others) by using Null Byte.
* CVE-2016-9850 / PMASA-2016-61: Username matching for the allow/deny rules
may result in wrong matches and detection of the username in the rule due
to non-constant execution time.
* CVE-2016-9861 / PMASA-2016-66: In the fix for PMASA-2016-49, we has buggy
checks and was possible to bypass whitelist.
* CVE-2016-9864 / PMASA-2016-69: Multiple SQL injection vulnerabilities.
* CVE-2016-9865 / PMASA-2016-70: Due to a bug in serialized string parsing,
it was possible to bypass the protection offered by PMA_safeUnserialize()
I also started investigating libphp-phpmailer CVE-2016-10033, however
this is going to require more time trying to understand the followup
patches that currently make no sense to
me. e.g. https://github.com/PHPMailer/PHPMailer/pull/930/files appears
to remove calls to escapeshellarg and escapeshellcmd which I thought
were added to solve the problem.
I anticipate not being able to work on LTS in January - due to buses
replacing trains and also LCA2017, so I will make myself inactive. I
expect to be back again for Febraury.
Brian May <firstname.lastname@example.org>