From owner-svn-ports-head@freebsd.org Wed Aug 17 11:02:44 2016 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE759BBB0EF; Wed, 17 Aug 2016 11:02:44 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B803A1D0A; Wed, 17 Aug 2016 11:02:44 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7HB2ioC090338; Wed, 17 Aug 2016 11:02:44 GMT (envelope-from matthew@FreeBSD.org) Received: (from matthew@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7HB2hQK090337; Wed, 17 Aug 2016 11:02:43 GMT (envelope-from matthew@FreeBSD.org) Message-Id: <201608171102.u7HB2hQK090337@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: matthew set sender to matthew@FreeBSD.org using -f From: Matthew Seaman Date: Wed, 17 Aug 2016 11:02:43 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r420331 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Aug 2016 11:02:45 -0000 Author: matthew Date: Wed Aug 17 11:02:43 2016 New Revision: 420331 URL: https://svnweb.freebsd.org/changeset/ports/420331 Log: Document 26 new security advisories from phpmadmin. Some of these are described as 'critical'. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Aug 17 10:46:48 2016 (r420330) +++ head/security/vuxml/vuln.xml Wed Aug 17 11:02:43 2016 (r420331) @@ -58,6 +58,488 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + phpmyadmin -- multiple vulnerabilities + + + phpmyadmin + 4.6.04.6.4 + + + + +

The phpmyadmin development team reports:

+
Summary
+
Weakness with cookie encryption
+
Description
+
A pair of vulnerabilities were found affecting the + way cookies are stored.
+
+
The decryption of the username/password is + vulnerable to a padding oracle attack. The can allow + an attacker who has access to a user's browser cookie + file to decrypt the username and password.
+
A vulnerability was found where the same + initialization vector (IV) is used to hash the + username and password stored in the phpMyAdmin + cookie. If a user has the same password as their + username, an attacker who examines the browser cookie + can see that they are the but the attacker can not + directly decode these values from the cookie as it is + still hashed.
+
+
Severity
+
We consider this to be critical.
+

+
Summary
+
Multiple XSS vulnerabilities
+
Description
+
Multiple vulnerabilities have been discovered in the + following areas of phpMyAdmin:
+
+
Zoom search: Specially crafted column content can + be used to trigger an XSS attack
+
GIS editor: Certain fields in the graphical GIS + editor at not properly escaped and can be used to + trigger an XSS attack
+
Relation view
+
The following Transformations: +
+
Formatted
+
Imagelink
+
JPEG: Upload
+
RegexValidation
+
JPEG inline
+
PNG inline
+
transformation wrapper
+
+
+
XML export
+
MediaWiki export
+
Designer
+
When the MySQL server is running with a + specially-crafted log_bin directive
+
Database tab
+
Replication feature
+
Database search
+
+
Severity
+
We consider these vulnerabilities to be of + moderate severity.
+

+
Summary
+
Multiple XSS vulnerabilities
+
Description
+
XSS vulnerabilities were discovered in:
+
+
The database privilege check
+
The "Remove partitioning" functionality
+
+
Specially crafted database names can trigger the XSS + attack.
+
Severity
+
We consider these vulnerabilities to be of moderate + severity.
+

+
Summary
+
PHP code injection
+
Description
+
A vulnerability was found where a specially crafted + database name could be used to run arbitrary PHP + commands through the array export feature
+
Severity
+
We consider these vulnerabilities to be of + moderate severity.
+

+
Summary
+
Full path disclosure
+
Description
+
A full path disclosure vulnerability was discovered + where a user can trigger a particular error in the + export mechanism to discover the full path of phpMyAdmin + on the disk.
+
Severity
+
We consider this vulnerability to be + non-critical.
+

+
Summary
+
SQL injection attack
+
Description
+
A vulnerability was reported where a specially + crafted database and/or table name can be used to + trigger an SQL injection attack through the export + functionality.
+
Severity
+
We consider this vulnerability to be serious
+

+
Summary
+
Local file exposure
+
Description
+
A vulnerability was discovered where a user can + exploit the LOAD LOCAL INFILE functionality to expose + files on the server to the database system.
+
Severity
+
We consider this vulnerability to be serious.
+

+
Summary
+
Local file exposure through symlinks with + UploadDir
+
Description
+
A vulnerability was found where a user can + specially craft a symlink on disk, to a file which + phpMyAdmin is permitted to read but the user is not, + which phpMyAdmin will then expose to the user.
+
Severity
+
We consider this vulnerability to be serious, + however due to the mitigation factors the + default state is not vulnerable.
+
Mitigation factor
+
1) The installation must be run with UploadDir configured + (not the default) 2) The user must be able to create a + symlink in the UploadDir 3) The user running the phpMyAdmin + application must be able to read the file
+

+
Summary
+
Path traversal with SaveDir and UploadDir
+
Description
+
A vulnerability was reported with the %u + username replacement functionality of the SaveDir and + UploadDir features. When the username substitution is + configured, a specially-crafted user name can be used to + circumvent restrictions to traverse the file system.
+
Severity
+
We consider this vulnerability to be serious, + however due to the mitigation factors the default + state is not vulnerable.
+
Mitigation factor
+
1) A system must be configured with the %u username + replacement, such as `$cfg['SaveDir'] = + 'SaveDir_%u';` 2) The user must be able to create a + specially-crafted MySQL user, including the `/.` sequence of + characters, such as `/../../`
+

+
Summary
+
Multiple XSS vulnerabilities
+
Description
+
Multiple XSS vulnerabilities were found in the following + areas:
+
+
Navigation pane and database/table hiding + feature. A specially-crafted database name can be used + to trigger an XSS attack.
+
The "Tracking" feature. A specially-crafted query + can be used to trigger an XSS attack.
+
GIS visualization feature.
+
+
Severity
+
We consider this vulnerability to be non-critical.
+

+
Summary
+
SQL injection attack
+
Description
+
A vulnerability was discovered in the following + features where a user can execute an SQL injection + attack against the account of the control user: + User group Designer
+
Severity
+
We consider this vulnerability to be serious.
+
Mitigation factor
+
The server must have a control user account created in + MySQL and configured in phpMyAdmin; installations without a + control user are not vulnerable.
+

+
Summary
+
SQL injection attack
+
Description
+
A vulnerability was reported where a specially + crafted database and/or table name can be used to + trigger an SQL injection attack through the export + functionality.
+
Severity
+
We consider this vulnerability to be serious
+

+
Summary
+
Denial of service (DOS) attack in transformation + feature
+
Description
+
A vulnerability was found in the transformation feature + allowing a user to trigger a denial-of-service (DOS) attack + against the server.
+
Severity
+
We consider this vulnerability to be non-critical
+

+
Summary
+
SQL injection attack as control user
+
Description
+
A vulnerability was discovered in the user interface + preference feature where a user can execute an SQL injection + attack against the account of the control user.
+
Severity
+
We consider this vulnerability to be serious.
+
Mitigation factor
+
The server must have a control user account created in + MySQL and configured in phpMyAdmin; installations without a + control user are not vulnerable.
+

+
Summary
+
Unvalidated data passed to unserialize()
+
Description
+
A vulnerability was reported where some data is passed to + the PHP unserialize() function without + verification that it's valid serialized data.
+
Due to how the PHP function + operates,
+
+
Unserialization can result in code being loaded and + executed due to object instantiation and autoloading, and + a malicious user may be able to exploit this.
+
+
Therefore, a malicious user may be able to manipulate the + stored data in a way to exploit this weakness.
+
Severity
+
We consider this vulnerability to be moderately + severe.
+

+
Summary
+
DOS attack with forced persistent connections
+
Description
+
A vulnerability was discovered where an unauthenticated + user is able to execute a denial-of-service (DOS) attack by + forcing persistent connections when phpMyAdmin is running + with $cfg['AllowArbitraryServer']=true;.
+
Severity
+
We consider this vulnerability to be critical, although + note that phpMyAdmin is not vulnerable by default.
+

+
Summary
+
Denial of service (DOS) attack by for loops
+
Description
+
A vulnerability has been reported where a malicious + authorized user can cause a denial-of-service (DOS) attack + on a server by passing large values to a loop.
+
Severity
+
We consider this issue to be of moderate severity.
+

+
Summary
+
IPv6 and proxy server IP-based authentication rule + circumvention
+
Description
+
A vulnerability was discovered where, under certain + circumstances, it may be possible to circumvent the + phpMyAdmin IP-based authentication rules.
+
When phpMyAdmin is used with IPv6 in a proxy server + environment, and the proxy server is in the allowed range + but the attacking computer is not allowed, this + vulnerability can allow the attacking computer to connect + despite the IP rules.
+
Severity
+
We consider this vulnerability to be serious
+
Mitigation factor
+
* The phpMyAdmin installation must be running with + IP-based allow/deny rules * The phpMyAdmin installation must + be running behind a proxy server (or proxy servers) where + the proxy server is "allowed" and the attacker is + "denied" * The connection between the proxy server + and phpMyAdmin must be via IPv6
+

+
Summary
+
Detect if user is logged in
+
Description
+
A vulnerability was reported where an attacker can + determine whether a user is logged in to phpMyAdmin.
+
The user's session, username, and password are not + compromised by this vulnerability.
+
Severity
+
We consider this vulnerability to be non-critical.
+

+
Summary
+
Bypass URL redirect protection
+
Description
+
A vulnerability was discovered where an attacker could + redirect a user to a malicious web page.
+
Severity
+
We consider this to be of moderate severity
+

+
Summary
+
Referrer leak in url.php
+
Description
+
A vulnerability was discovered where an attacker can + determine the phpMyAdmin host location through the file + url.php.
+
Severity
+
We consider this to be of moderate severity.
+

+
Summary
+
Reflected File Download attack
+
Description
+
A vulnerability was discovered where an attacker may be + able to trigger a user to download a specially crafted + malicious SVG file.
+
Severity
+
We consider this issue to be of moderate severity.
+

+
Summary
+
ArbitraryServerRegexp bypass
+
Description
+
A vulnerability was reported with the + $cfg['ArbitraryServerRegexp'] configuration + directive. An attacker could reuse certain cookie values in + a way of bypassing the servers defined by + ArbitraryServerRegexp.
+
Severity
+
We consider this vulnerability to be critical.
+
Mitigation factor
+
Only servers using + `$cfg['ArbitraryServerRegexp']` are vulnerable to + this attack.
+

+
Summary
+
Denial of service (DOS) attack by changing password to a + very long string
+
Description
+
An authenticated user can trigger a denial-of-service + (DOS) attack by entering a very long password at the change + password dialog.
+
Severity
+
We consider this vulnerability to be serious.
+

+
Summary
+
Remote code execution vulnerability when run as CGI
+
Description
+
A vulnerability was discovered where a user can execute a + remote code execution attack against a server when + phpMyAdmin is being run as a CGI application. Under certain + server configurations, a user can pass a query string which + is executed as a command-line argument by the file + generator_plugin.sh.
+
Severity
+
We consider this vulnerability to be critical.
+
Mitigation factor
+
The file + `/libraries/plugins/transformations/generator_plugin.sh` may + be removed. Under certain server configurations, it may be + sufficient to remove execute permissions for this file.
+

+
Summary
+
Denial of service (DOS) attack with dbase extension
+
Description
+
A flaw was discovered where, under certain conditions, + phpMyAdmin may not delete temporary files during the import + of ESRI files.
+
Severity
+
We consider this vulnerability to be non-critical.
+
Mitigation factor
+
This vulnerability only exists when PHP is running with + the dbase extension, which is not shipped by default, not + available in most Linux distributions, and doesn't + compile with PHP7.
+

+
Summary
+
Remote code execution vulnerability when PHP is running + with dbase extension
+
Description
+
A vulnerability was discovered where phpMyAdmin can be + used to trigger a remote code execution attack against + certain PHP installations.
+
Severity
+
We consider this vulnerability to be critical.
+
Mitigation factor
+
This vulnerability only exists when PHP is running with + the dbase extension, which is not shipped by default, not + available in most Linux distributions, and doesn't + compile with PHP7.
+

+ + + + https://www.phpmyadmin.net/security/PMASA-2016-29/ + https://www.phpmyadmin.net/security/PMASA-2016-30/ + https://www.phpmyadmin.net/security/PMASA-2016-31/ + https://www.phpmyadmin.net/security/PMASA-2016-32/ + https://www.phpmyadmin.net/security/PMASA-2016-33/ + https://www.phpmyadmin.net/security/PMASA-2016-34/ + https://www.phpmyadmin.net/security/PMASA-2016-35/ + https://www.phpmyadmin.net/security/PMASA-2016-36/ + https://www.phpmyadmin.net/security/PMASA-2016-37/ + https://www.phpmyadmin.net/security/PMASA-2016-38/ + https://www.phpmyadmin.net/security/PMASA-2016-39/ + https://www.phpmyadmin.net/security/PMASA-2016-40/ + https://www.phpmyadmin.net/security/PMASA-2016-41/ + https://www.phpmyadmin.net/security/PMASA-2016-42/ + https://www.phpmyadmin.net/security/PMASA-2016-43/ + https://www.phpmyadmin.net/security/PMASA-2016-45/ + https://www.phpmyadmin.net/security/PMASA-2016-46/ + https://www.phpmyadmin.net/security/PMASA-2016-47/ + https://www.phpmyadmin.net/security/PMASA-2016-48/ + https://www.phpmyadmin.net/security/PMASA-2016-49/ + https://www.phpmyadmin.net/security/PMASA-2016-50/ + https://www.phpmyadmin.net/security/PMASA-2016-51/ + https://www.phpmyadmin.net/security/PMASA-2016-52/ + https://www.phpmyadmin.net/security/PMASA-2016-53/ + https://www.phpmyadmin.net/security/PMASA-2016-54/ + https://www.phpmyadmin.net/security/PMASA-2016-55/ + https://www.phpmyadmin.net/security/PMASA-2016-56/ + CVE-2016-6606 + CVE-2016-6607 + CVE-2016-6608 + CVE-2016-6609 + CVE-2016-6610 + CVE-2016-6611 + CVE-2016-6612 + CVE-2016-6613 + CVE-2016-6614 + CVE-2016-6615 + CVE-2016-6616 + CVE-2016-6617 + CVE-2016-6618 + CVE-2016-6619 + CVE-2016-6620 + CVE-2016-6622 + CVE-2016-6623 + CVE-2016-6624 + CVE-2016-6625 + CVE-2016-6626 + CVE-2016-6627 + CVE-2016-6628 + CVE-2016-6629 + CVE-2016-6630 + CVE-2016-6631 + CVE-2016-6632 + CVE-2016-6633 + + + 2016-08-17 + 2016-08-17 + + + TeamSpeak Server 3 -- Multiple vulnerabilities including Remote Code Execution