I have prepared a security update of phpmyadmin for wheezy.
I have corrected the following problems by backporting the patches given by upstream (you can find the upstream reference in the patch file in the debdiff above):
CVE-2016-5731
With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script.
CVE-2016-5739
A vulnerability was reported where a specially crafted Transformation could be used to leak information including the authentication token. This could be used to direct a CSRF attack against a user.
I have also partially corrected CVE-2016-5733. I have corrected all parts that I could find as applicable.
- [vulnerable code not present] A vulnerability was reported allowing a specially crafted table name to cause an XSS attack through the functionality to check database privileges.
- [patched even though this really require root privileges to use] A vulnerability was reported allowing a specifically-configured MySQL server to execute an XSS attack. This particular attack requires configuring the MySQL server log_bin directive with the payload.
- [patched partially, for the rest I can not see vulnerable code] Several XSS vulnerabilities were found with the Transformation feature
- [vulnerable code not present] Several XSS vulnerabilities were found in AJAX error handling
- [vulnerable code not present] Several XSS vulnerabilities were found in the Designer feature
- [vulnerable code not present] An XSS vulnerability was found in the charts feature
- [vulnerable code not present] An XSS vulnerability was found in the zoom search feature
I have also updated the security tracker based on the following findings.
CVE-2016-5703 PMASA-2016-19
Vulnerable code not present.
CVE-2016-5704 PMASA-2016-20
Vulnerable code not present.
CVE-2016-5705 PMASA-2016-21
Vulnerable code not present.
CVE-2016-5706 PMASA-2016-22
Vulnerable code not present.
CVE-2016-5732 PMASA-2016-25
Vulnerable code not present.
CVE-2016-5734 PMASA-2016-27
Vulnerable code present but the vulnerability is only possible to exploit using a php version that prior to the one that exists in wheezy. The same applies to jessie so I was kind enough to mark that too. I hope you do not mind.
I have regression tested the package but I have not explicitly tried to exploit the vulnerabilities.
Or rather I have tried some of it but I failed also with the old version so I guess it was not trivial to do.
In any case the corrected package seem to work find with basic operations like viewing and updating things.
If there are no objections I will upload the corrected package to wheezy-security in four days, that is on Thursday next week.
Best regards
// Ola
--
--------------------- Ola Lundqvist ---------------------------
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------