Date: Wed, 17 Aug 2016 11:02:43 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r420331 - head/security/vuxml Message-ID: <201608171102.u7HB2hQK090337@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Wed Aug 17 11:02:43 2016 New Revision: 420331 URL: https://svnweb.freebsd.org/changeset/ports/420331 Log: Document 26 new security advisories from phpmadmin. Some of these are described as 'critical'. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Aug 17 10:46:48 2016 (r420330) +++ head/security/vuxml/vuln.xml Wed Aug 17 11:02:43 2016 (r420331) @@ -58,6 +58,488 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="ef70b201-645d-11e6-9cdc-6805ca0b3d42"> + <topic>phpmyadmin -- multiple vulnerabilities</topic> + <affects> + <package> + <name>phpmyadmin</name> + <range><ge>4.6.0</ge><lt>4.6.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The phpmyadmin development team reports:</p> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/">; + <h3>Summary</h3> + <p>Weakness with cookie encryption</p> + <h3>Description</h3> + <p>A pair of vulnerabilities were found affecting the + way cookies are stored.</p> + <ul> + <li>The decryption of the username/password is + vulnerable to a padding oracle attack. The can allow + an attacker who has access to a user's browser cookie + file to decrypt the username and password.</li> + <li>A vulnerability was found where the same + initialization vector (IV) is used to hash the + username and password stored in the phpMyAdmin + cookie. If a user has the same password as their + username, an attacker who examines the browser cookie + can see that they are the but the attacker can not + directly decode these values from the cookie as it is + still hashed.</li> + </ul> + <h3>Severity</h3> + <p>We consider this to be critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/">; + <h3>Summary</h3> + <p>Multiple XSS vulnerabilities</p> + <h3>Description</h3> + <p>Multiple vulnerabilities have been discovered in the + following areas of phpMyAdmin:</p> + <ul> + <li>Zoom search: Specially crafted column content can + be used to trigger an XSS attack</li> + <li>GIS editor: Certain fields in the graphical GIS + editor at not properly escaped and can be used to + trigger an XSS attack</li> + <li>Relation view</li> + <li>The following Transformations: + <ul> + <li>Formatted</li> + <li>Imagelink</li> + <li>JPEG: Upload</li> + <li>RegexValidation</li> + <li>JPEG inline</li> + <li>PNG inline</li> + <li>transformation wrapper</li> + </ul> + </li> + <li>XML export</li> + <li>MediaWiki export</li> + <li>Designer</li> + <li>When the MySQL server is running with a + specially-crafted <code>log_bin</code> directive</li> + <li>Database tab</li> + <li>Replication feature</li> + <li>Database search</li> + </ul> + <h3>Severity</h3> + <p>We consider these vulnerabilities to be of + moderate severity.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/">; + <h3>Summary</h3> + <p>Multiple XSS vulnerabilities</p> + <h3>Description</h3> + <p>XSS vulnerabilities were discovered in:</p> + <ul> + <li>The database privilege check</li> + <li>The "Remove partitioning" functionality</li> + </ul> + <p>Specially crafted database names can trigger the XSS + attack.</p> + <h3>Severity</h3> + <p>We consider these vulnerabilities to be of moderate + severity.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/">; + <h3>Summary</h3> + <p>PHP code injection</p> + <h3>Description</h3> + <p>A vulnerability was found where a specially crafted + database name could be used to run arbitrary PHP + commands through the array export feature</p> + <h3>Severity</h3> + <p>We consider these vulnerabilities to be of + moderate severity.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/">; + <h3>Summary</h3> + <p>Full path disclosure</p> + <h3>Description</h3> + <p>A full path disclosure vulnerability was discovered + where a user can trigger a particular error in the + export mechanism to discover the full path of phpMyAdmin + on the disk.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be + non-critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/">; + <h3>Summary</h3> + <p>SQL injection attack</p> + <h3>Description</h3> + <p>A vulnerability was reported where a specially + crafted database and/or table name can be used to + trigger an SQL injection attack through the export + functionality.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/">; + <h3>Summary</h3> + <p>Local file exposure</p> + <h3>Description</h3> + <p>A vulnerability was discovered where a user can + exploit the LOAD LOCAL INFILE functionality to expose + files on the server to the database system.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/">; + <h3>Summary</h3> + <p>Local file exposure through symlinks with + UploadDir</p> + <h3>Description</h3> + <p>A vulnerability was found where a user can + specially craft a symlink on disk, to a file which + phpMyAdmin is permitted to read but the user is not, + which phpMyAdmin will then expose to the user.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious, + however due to the mitigation factors the + default state is not vulnerable.</p> + <h3>Mitigation factor</h3> + <p>1) The installation must be run with UploadDir configured + (not the default) 2) The user must be able to create a + symlink in the UploadDir 3) The user running the phpMyAdmin + application must be able to read the file</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/">; + <h3>Summary</h3> + <p>Path traversal with SaveDir and UploadDir</p> + <h3>Description</h3> + <p>A vulnerability was reported with the <code>%u</code> + username replacement functionality of the SaveDir and + UploadDir features. When the username substitution is + configured, a specially-crafted user name can be used to + circumvent restrictions to traverse the file system.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious, + however due to the mitigation factors the default + state is not vulnerable.</p> + <h3>Mitigation factor</h3> + <p>1) A system must be configured with the %u username + replacement, such as `$cfg['SaveDir'] = + 'SaveDir_%u';` 2) The user must be able to create a + specially-crafted MySQL user, including the `/.` sequence of + characters, such as `/../../`</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/">; + <h3>Summary</h3> + <p>Multiple XSS vulnerabilities</p> + <h3>Description</h3> + <p>Multiple XSS vulnerabilities were found in the following + areas:</p> + <ul> + <li>Navigation pane and database/table hiding + feature. A specially-crafted database name can be used + to trigger an XSS attack.</li> + <li>The "Tracking" feature. A specially-crafted query + can be used to trigger an XSS attack.</li> + <li>GIS visualization feature. </li> + </ul> + <h3>Severity</h3> + <p>We consider this vulnerability to be non-critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/">; + <h3>Summary</h3> + <p>SQL injection attack</p> + <h3>Description</h3> + <p>A vulnerability was discovered in the following + features where a user can execute an SQL injection + attack against the account of the control user: + <em>User group</em> Designer</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious.</p> + <h3>Mitigation factor</h3> + <p>The server must have a control user account created in + MySQL and configured in phpMyAdmin; installations without a + control user are not vulnerable.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/">; + <h3>Summary</h3> + <p>SQL injection attack</p> + <h3>Description</h3> + <p>A vulnerability was reported where a specially + crafted database and/or table name can be used to + trigger an SQL injection attack through the export + functionality.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/">; + <h3>Summary</h3> + <p>Denial of service (DOS) attack in transformation + feature</p> + <h3>Description</h3> + <p>A vulnerability was found in the transformation feature + allowing a user to trigger a denial-of-service (DOS) attack + against the server.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be non-critical</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/">; + <h3>Summary</h3> + <p>SQL injection attack as control user</p> + <h3>Description</h3> + <p>A vulnerability was discovered in the user interface + preference feature where a user can execute an SQL injection + attack against the account of the control user.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious.</p> + <h3>Mitigation factor</h3> + <p>The server must have a control user account created in + MySQL and configured in phpMyAdmin; installations without a + control user are not vulnerable.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/">; + <h3>Summary</h3> + <p>Unvalidated data passed to unserialize()</p> + <h3>Description</h3> + <p>A vulnerability was reported where some data is passed to + the PHP <code>unserialize()</code> function without + verification that it's valid serialized data.</p> + <p>Due to how the <a href="https://secure.php.net/unserialize">PHP function</a> + operates,</p> + <blockquote> + <p>Unserialization can result in code being loaded and + executed due to object instantiation and autoloading, and + a malicious user may be able to exploit this.</p> + </blockquote> + <p>Therefore, a malicious user may be able to manipulate the + stored data in a way to exploit this weakness.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be moderately + severe.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/">; + <h3>Summary</h3> + <p>DOS attack with forced persistent connections</p> + <h3>Description</h3> + <p>A vulnerability was discovered where an unauthenticated + user is able to execute a denial-of-service (DOS) attack by + forcing persistent connections when phpMyAdmin is running + with <code>$cfg['AllowArbitraryServer']=true;</code>.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be critical, although + note that phpMyAdmin is not vulnerable by default.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/">; + <h3>Summary</h3> + <p>Denial of service (DOS) attack by for loops</p> + <h3>Description</h3> + <p>A vulnerability has been reported where a malicious + authorized user can cause a denial-of-service (DOS) attack + on a server by passing large values to a loop.</p> + <h3>Severity</h3> + <p>We consider this issue to be of moderate severity.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/">; + <h3>Summary</h3> + <p>IPv6 and proxy server IP-based authentication rule + circumvention</p> + <h3>Description</h3> + <p>A vulnerability was discovered where, under certain + circumstances, it may be possible to circumvent the + phpMyAdmin IP-based authentication rules.</p> + <p>When phpMyAdmin is used with IPv6 in a proxy server + environment, and the proxy server is in the allowed range + but the attacking computer is not allowed, this + vulnerability can allow the attacking computer to connect + despite the IP rules.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious</p> + <h3>Mitigation factor</h3> + <p>* The phpMyAdmin installation must be running with + IP-based allow/deny rules * The phpMyAdmin installation must + be running behind a proxy server (or proxy servers) where + the proxy server is "allowed" and the attacker is + "denied" * The connection between the proxy server + and phpMyAdmin must be via IPv6</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/">; + <h3>Summary</h3> + <p>Detect if user is logged in</p> + <h3>Description</h3> + <p>A vulnerability was reported where an attacker can + determine whether a user is logged in to phpMyAdmin.</p> + <p>The user's session, username, and password are not + compromised by this vulnerability.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be non-critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/">; + <h3>Summary</h3> + <p>Bypass URL redirect protection</p> + <h3>Description</h3> + <p>A vulnerability was discovered where an attacker could + redirect a user to a malicious web page.</p> + <h3>Severity</h3> + <p>We consider this to be of moderate severity</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/">; + <h3>Summary</h3> + <p>Referrer leak in url.php</p> + <h3>Description</h3> + <p>A vulnerability was discovered where an attacker can + determine the phpMyAdmin host location through the file + <code>url.php</code>.</p> + <h3>Severity</h3> + <p>We consider this to be of moderate severity.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/">; + <h3>Summary</h3> + <p>Reflected File Download attack</p> + <h3>Description</h3> + <p>A vulnerability was discovered where an attacker may be + able to trigger a user to download a specially crafted + malicious SVG file.</p> + <h3>Severity</h3> + <p>We consider this issue to be of moderate severity.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/">; + <h3>Summary</h3> + <p>ArbitraryServerRegexp bypass</p> + <h3>Description</h3> + <p>A vulnerability was reported with the + <code>$cfg['ArbitraryServerRegexp']</code> configuration + directive. An attacker could reuse certain cookie values in + a way of bypassing the servers defined by + <code>ArbitraryServerRegexp</code>.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be critical.</p> + <h3>Mitigation factor</h3> + <p>Only servers using + `$cfg['ArbitraryServerRegexp']` are vulnerable to + this attack.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/">; + <h3>Summary</h3> + <p>Denial of service (DOS) attack by changing password to a + very long string</p> + <h3>Description</h3> + <p>An authenticated user can trigger a denial-of-service + (DOS) attack by entering a very long password at the change + password dialog.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be serious.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/">; + <h3>Summary</h3> + <p>Remote code execution vulnerability when run as CGI</p> + <h3>Description</h3> + <p>A vulnerability was discovered where a user can execute a + remote code execution attack against a server when + phpMyAdmin is being run as a CGI application. Under certain + server configurations, a user can pass a query string which + is executed as a command-line argument by the file + <code>generator_plugin.sh</code>.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be critical.</p> + <h3>Mitigation factor</h3> + <p>The file + `/libraries/plugins/transformations/generator_plugin.sh` may + be removed. Under certain server configurations, it may be + sufficient to remove execute permissions for this file.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/">; + <h3>Summary</h3> + <p>Denial of service (DOS) attack with dbase extension</p> + <h3>Description</h3> + <p>A flaw was discovered where, under certain conditions, + phpMyAdmin may not delete temporary files during the import + of ESRI files.</p> + <h3>Severity</h3> + <p>We consider this vulnerability to be non-critical.</p> + <h3>Mitigation factor</h3> + <p>This vulnerability only exists when PHP is running with + the dbase extension, which is not shipped by default, not + available in most Linux distributions, and doesn't + compile with PHP7.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/">; + <h3>Summary</h3> + <p>Remote code execution vulnerability when PHP is running + with dbase extension</p> + <h3>Description</h3> + <p>A vulnerability was discovered where phpMyAdmin can be + used to trigger a remote code execution attack against + certain PHP installations. </p> + <h3>Severity</h3> + <p>We consider this vulnerability to be critical.</p> + <h3>Mitigation factor</h3> + <p>This vulnerability only exists when PHP is running with + the dbase extension, which is not shipped by default, not + available in most Linux distributions, and doesn't + compile with PHP7.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.phpmyadmin.net/security/PMASA-2016-29/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-30/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-31/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-32/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-33/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-34/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-35/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-36/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-37/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-38/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-39/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-40/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-41/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-42/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-43/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-45/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-46/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-47/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-48/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-49/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-50/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-51/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-52/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-53/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-54/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-55/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-56/</url>; + <cvename>CVE-2016-6606</cvename> + <cvename>CVE-2016-6607</cvename> + <cvename>CVE-2016-6608</cvename> + <cvename>CVE-2016-6609</cvename> + <cvename>CVE-2016-6610</cvename> + <cvename>CVE-2016-6611</cvename> + <cvename>CVE-2016-6612</cvename> + <cvename>CVE-2016-6613</cvename> + <cvename>CVE-2016-6614</cvename> + <cvename>CVE-2016-6615</cvename> + <cvename>CVE-2016-6616</cvename> + <cvename>CVE-2016-6617</cvename> + <cvename>CVE-2016-6618</cvename> + <cvename>CVE-2016-6619</cvename> + <cvename>CVE-2016-6620</cvename> + <cvename>CVE-2016-6622</cvename> + <cvename>CVE-2016-6623</cvename> + <cvename>CVE-2016-6624</cvename> + <cvename>CVE-2016-6625</cvename> + <cvename>CVE-2016-6626</cvename> + <cvename>CVE-2016-6627</cvename> + <cvename>CVE-2016-6628</cvename> + <cvename>CVE-2016-6629</cvename> + <cvename>CVE-2016-6630</cvename> + <cvename>CVE-2016-6631</cvename> + <cvename>CVE-2016-6632</cvename> + <cvename>CVE-2016-6633</cvename> + </references> + <dates> + <discovery>2016-08-17</discovery> + <entry>2016-08-17</entry> + </dates> + </vuln> + <vuln vid="f7dd2d09-625e-11e6-828b-fcaa14edc6a6"> <topic>TeamSpeak Server 3 -- Multiple vulnerabilities including Remote Code Execution</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608171102.u7HB2hQK090337>