Date: Fri, 29 Sep 2017 15:51:08 +0000 (UTC) From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r450906 - head/security/vuxml Message-ID: <201709291551.v8TFp8Ea019276@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zi Date: Fri Sep 29 15:51:08 2017 New Revision: 450906 URL: https://svnweb.freebsd.org/changeset/ports/450906 Log: - Condense entries whose description is >5000 characters Approved by: ports-secteam (with hat) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Sep 29 15:31:32 2017 (r450905) +++ head/security/vuxml/vuln.xml Fri Sep 29 15:51:08 2017 (r450906) @@ -2622,176 +2622,7 @@ Notes: <body xmlns="http://www.w3.org/1999/xhtml">; <p>The Webkit gtk team reports:</p> <blockquote cite="https://webkitgtk.org/security/WSA-2017-0006.html">; - <p>CVE-2017-7006: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to David Kohlbrenner of UC San Diego, an anonymous - researcher.<br/> - Impact: A malicious website may exfiltrate data cross-origin. - Description: Processing maliciously crafted web content may - allow cross-origin data to be exfiltrated by using SVG filters - to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.</p> - - <p>CVE-2017-7011: Versions affected: WebKitGTK+ before 2.16.3.<br/> - Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).<br/> - Impact: Visiting a malicious website may lead to address bar - spoofing. Description: A state management issue was addressed - with improved frame handling.</p> - - <p>CVE-2017-7012: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to Apple.<br/> - Impact: Processing maliciously crafted web content may lead to - arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7018: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to lokihardt of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead to - arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7019: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to Zhiyang Zeng of Tencent Security Platform Department.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7020: Versions affected: WebKitGTK+ before 2.16.1.<br/> - Credit to likemeng of Baidu Security Lab.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7030: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to chenqin of Ant-financial Light-Year Security Lab - (蚂蚁金服巴斯光年安全实验室).<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7034: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to chenqin of Ant-financial Light-Year Security Lab - (蚂蚁金服巴斯光年安全实验室).<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7037: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to lokihardt of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7038: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to Neil Jenkins of FastMail Pty Ltd, Egor Karbutov - (@ShikariSenpai) of Digital Security and Egor Saltykov - (@ansjdnakjdnajkd) of Digital Security.<br/> - Impact: Processing maliciously crafted web content with - DOMParser may lead to cross site scripting. Description: - A logic issue existed in the handling of DOMParser. This - issue was addressed with improved state management.</p> - - <p>CVE-2017-7039: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7040: Versions affected: WebKitGTK+ before 2.16.3.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7041: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7042: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7043: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7046: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7048: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7049: Versions affected: WebKitGTK+ before 2.16.2.<br/> - Credit to Ivan Fratric of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed through improved memory - handling.</p> - - <p>CVE-2017-7052: Versions affected: WebKitGTK+ before 2.16.4.<br/> - Credit to cc working with Trend Micro’s Zero Day Initiative.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7055: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to The UK’s National Cyber Security Centre (NCSC).<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7056: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to lokihardt of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7059: Versions affected: WebKitGTK+ before 2.16.3.<br/> - Credit to an anonymous researcher.<br/> - Impact: Processing maliciously crafted web content with - DOMParser may lead to cross site scripting. Description: - A logic issue existed in the handling of DOMParser. This - issue was addressed with improved state management.</p> - - <p>CVE-2017-7061: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to lokihardt of Google Project Zero.<br/> - Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.</p> - - <p>CVE-2017-7064: Versions affected: WebKitGTK+ before 2.16.6.<br/> - Credit to lokihardt of Google Project Zero.<br/> - Impact: An application may be able to read restricted - memory. Description: A memory initialization issue was - addressed through improved memory handling.</p> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -4674,120 +4505,7 @@ maliciously crafted GET request to the Horde server.</ <description> <body xmlns="http://www.w3.org/1999/xhtml">; <blockquote cite="https://nvd.nist.gov/vuln/search/results?query=ImageMagick">; - <ul> - <li>CVE-2017-5506: Double free vulnerability in magick/profile.c in - ImageMagick allows remote attackers to have unspecified impact via - a crafted file.</li> - <li>CVE-2017-5507: Memory leak in coders/mpc.c in ImageMagick before - 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a - denial of service (memory consumption) via vectors involving a - pixel cache.</li> - <li>CVE-2017-5508: Heap-based buffer overflow in the - PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x - before 7.0.4-3 allows remote attackers to cause a denial of - service (application crash) via a crafted TIFF file.</li> - <li>CVE-2017-5509: coders/psd.c in ImageMagick allows remote - attackers to have unspecified impact via a crafted PSD file, which - triggers an out-of-bounds write.</li> - <li>CVE-2017-5510: coders/psd.c in ImageMagick allows remote - attackers to have unspecified impact via a crafted PSD file, which - triggers an out-of-bounds write.</li> - <li>CVE-2017-5511: coders/psd.c in ImageMagick allows remote - attackers to have unspecified impact by leveraging an improper - cast, which triggers a heap-based buffer overflow.</li> - <li>CVE-2017-6497: An issue was discovered in ImageMagick 6.9.7. - A specially crafted psd file could lead to a NULL pointer - dereference (thus, a DoS).</li> - <li>CVE-2017-6498: An issue was discovered in ImageMagick 6.9.7. - Incorrect TGA files could trigger assertion failures, thus leading - to DoS.</li> - <li>CVE-2017-6499: An issue was discovered in Magick++ in - ImageMagick 6.9.7. A specially crafted file creating a nested - exception could lead to a memory leak (thus, a DoS).</li> - <li>CVE-2017-6500: An issue was discovered in ImageMagick 6.9.7. - A specially crafted sun file triggers a heap-based - buffer over-read.</li> - <li>CVE-2017-6501: An issue was discovered in ImageMagick 6.9.7. - A specially crafted xcf file could lead to a NULL pointer - dereference.</li> - <li>CVE-2017-6502: An issue was discovered in ImageMagick 6.9.7. - A specially crafted webp file could lead to a file-descriptor - leak in libmagickcore (thus, a DoS).</li> - <li>CVE-2017-7275: The ReadPCXImage function in coders/pcx.c in - ImageMagick 7.0.4.9 allows remote attackers to cause a denial of - service (attempted large memory allocation and application crash) - via a crafted file. NOTE: this vulnerability exists because of an - incomplete fix for CVE-2016-8862 and CVE-2016-8866.</li> - <li>CVE-2017-7606: coders/rle.c in ImageMagick 7.0.5-4 has an - "outside the range of representable values of type unsigned char" - undefined behavior issue, which might allow remote attackers to - cause a denial of service (application crash) or possibly have - unspecified other impact via a crafted image.</li> - <li>CVE-2017-7619: In ImageMagick 7.0.4-9, an infinite loop can - occur because of a floating-point rounding error in some of the - color algorithms. This affects ModulateHSL, ModulateHCL, - ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, - ModulateLCHab, and ModulateLCHuv.</li> - <li>CVE-2017-7941: The ReadSGIImage function in sgi.c allows remote - attackers to consume an amount of available memory via a crafted - file.</li> - <li>CVE-2017-7942: The ReadAVSImage function in avs.c allows remote - attackers to consume an amount of available memory via a crafted - file.</li> - <li>CVE-2017-7943: The ReadSVGImage function in svg.c allows remote - attackers to consume an amount of available memory via a crafted - file.</li> - <li>CVE-2017-8343: ReadAAIImage function in aai.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8344: ReadPCXImage function in pcx.c allows attackers - to cause a denial of service (memory leak) via a crafted file. The - ReadMNGImage function in png.c allows attackers to cause a denial - of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8345: ReadMNGImage function in png.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8346: ReadMATImage function in mat.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8347: ReadMATImage function in mat.c allows attackers - to cause a denial of service (memory leak) via a crafted file. </li> - <li>CVE-2017-8348: ReadMATImage function in mat.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8349: ReadSFWImage function in sfw.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8350: ReadJNGImage function in png.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8351: ReadPCDImage function in pcd.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8352: ReadXWDImage function in xwd.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8353: ReadPICTImage function in pict.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8354: ReadBMPImage function in bmp.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8355: ReadMTVImage function in mtv.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8356: ReadSUNImage function in sun.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8357: ReadEPTImage function in ept.c allows attackers - to cause a denial of service (memory leak) via a crafted file.</li> - <li>CVE-2017-8765: The function named ReadICONImage in coders\icon.c - has a memory leak vulnerability which can cause memory exhaustion - via a crafted ICON file.</li> - <li>CVE-2017-8830: ReadBMPImage function in bmp.c:1379 allows - attackers to cause a denial of service (memory leak) via a crafted - file.</li> - <li>CVE-2017-9141: A crafted file could trigger an assertion failure - in the ResetImageProfileIterator function in MagickCore/profile.c - because of missing checks in the ReadDDSImage function in - coders/dds.c.</li> - <li>CVE-2017-9142: A crafted file could trigger an assertion failure - in the WriteBlob function in MagickCore/blob.c because of missing - checks in the ReadOneJNGImage function in coders/png.c.</li> - <li>CVE-2017-9143: ReadARTImage function in coders/art.c allows - attackers to cause a denial of service (memory leak) via a crafted - .art file.</li> - <li>CVE-2017-9144: A crafted RLE image can trigger a crash because - of incorrect EOF handling in coders/rle.c.</li> - </ul> + <p>Please reference CVE/URL list for details</p> </blockquote> </body> </description> @@ -12689,200 +12407,7 @@ maliciously crafted GET request to the Horde server.</ </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The phpMyAdmin development team reports:</p> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-57/">; - <h3>Summary</h3> - <p>Open redirection</p> - <h3>Description</h3> - <p>A vulnerability was discovered where a user can be - tricked in to following a link leading to phpMyAdmin, - which after authentication redirects to another - malicious site.</p> - <p>The attacker must sniff the user's valid phpMyAdmin - token.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be of moderate - severity.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-58/">; - <h3>Summary</h3> - <p>Unsafe generation of blowfish secret</p> - <h3>Description</h3> - <p>When the user does not specify a blowfish_secret key - for encrypting cookies, phpMyAdmin generates one at - runtime. A vulnerability was reported where the way this - value is created using a weak algorithm.</p> - <p>This could allow an attacker to determine the user's - blowfish_secret and potentially decrypt their - cookies.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be of moderate - severity.</p> - <h3>Mitigation factor</h3> - <p>This vulnerability only affects cookie - authentication and only when a user has not - defined a $cfg['blowfish_secret'] in - their config.inc.php</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-59/">; - <h3>Summary</h3> - <p>phpinfo information leak value of sensitive - (HttpOnly) cookies</p> - <h3>Description</h3> - <p>phpinfo (phpinfo.php) shows PHP information - including values of HttpOnly cookies.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be - non-critical.</p> - <h3>Mitigation factor</h3> - <p>phpinfo in disabled by default and needs - to be enabled explicitly.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-60/">; - <h3>Summary</h3> - <p>Username deny rules bypass (AllowRoot & Others) - by using Null Byte</p> - <h3>Description</h3> - <p>It is possible to bypass AllowRoot restriction - ($cfg['Servers'][$i]['AllowRoot']) and deny rules - for username by using Null Byte in the username.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be - severe.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-61/">; - <h3>Summary</h3> - <p>Username rule matching issues</p> - <h3>Description</h3> - <p>A vulnerability in username matching for the - allow/deny rules may result in wrong matches and - detection of the username in the rule due to - non-constant execution time.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be severe.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-62/">; - <h3>Summary</h3> - <p>Bypass logout timeout</p> - <h3>Description</h3> - <p>With a crafted request parameter value it is possible - to bypass the logout timeout.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be of moderate - severity.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-63/">; - <h3>Summary</h3> - <p>Multiple full path disclosure vulnerabilities</p> - <h3>Description</h3> - <p>By calling some scripts that are part of phpMyAdmin in an - unexpected way, it is possible to trigger phpMyAdmin to - display a PHP error message which contains the full path of - the directory where phpMyAdmin is installed. During an - execution timeout in the export functionality, the errors - containing the full path of the directory of phpMyAdmin is - written to the export file.</p> - <h3>Severity</h3> - <p>We consider these vulnerability to be - non-critical.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-64/">; - <h3>Summary</h3> - <p>Multiple XSS vulnerabilities</p> - <h3>Description</h3> - <p>Several XSS vulnerabilities have been reported, including - an improper fix for <a href="https://www.phpmyadmin.net/security/PMASA-2016-10/">PMASA-2016-10</a>; and a weakness in a regular expression - using in some JavaScript processing.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be - non-critical.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-65/">; - <h3>Summary</h3> - <p>Multiple DOS vulnerabilities</p> - <h3>Description</h3> - <p>With a crafted request parameter value it is possible - to initiate a denial of service attack in saved searches - feature.</p> - <p>With a crafted request parameter value it is possible - to initiate a denial of service attack in import - feature.</p> - <p>An unauthenticated user can execute a denial of - service attack when phpMyAdmin is running with - <code>$cfg['AllowArbitraryServer']=true;</code>.</p> - <h3>Severity</h3> - <p>We consider these vulnerabilities to be of - moderate severity.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-66/">; - <h3>Summary</h3> - <p>Bypass white-list protection for URL redirection</p> - <h3>Description</h3> - <p>Due to the limitation in URL matching, it was - possible to bypass the URL white-list protection.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be of moderate - severity.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-67/">; - <h3>Summary</h3> - <p>BBCode injection vulnerability</p> - <h3>Description</h3> - <p>With a crafted login request it is possible to inject - BBCode in the login page.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be severe.</p> - <h3>Mitigation factor</h3> - <p>This exploit requires phpMyAdmin to be configured - with the "cookie" auth_type; other - authentication methods are not affected.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-68/">; - <h3>Summary</h3> - <p>DOS vulnerability in table partitioning</p> - <h3>Description</h3> - <p>With a very large request to table partitioning - function, it is possible to invoke a Denial of Service - (DOS) attack.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be of moderate - severity.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-69/">; - <h3>Summary</h3> - <p>Multiple SQL injection vulnerabilities</p> - <h3>Description</h3> - <p>With a crafted username or a table name, it was possible - to inject SQL statements in the tracking functionality that - would run with the privileges of the control user. This - gives read and write access to the tables of the - configuration storage database, and if the control user has - the necessary privileges, read access to some tables of the - mysql database.</p> - <h3>Severity</h3> - <p>We consider these vulnerabilities to be serious.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-70/">; - <h3>Summary</h3> - <p>Incorrect serialized string parsing</p> - <h3>Description</h3> - <p>Due to a bug in serialized string parsing, it was - possible to bypass the protection offered by - PMA_safeUnserialize() function.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be severe.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-71/">; - <h3>Summary</h3> - <p>CSRF token not stripped from the URL</p> - <h3>Description</h3> - <p>When the <code>arg_separator</code> is different from its - default value of <code>&</code>, the token was not - properly stripped from the return URL of the preference - import action.</p> - <h3>Severity</h3> - <p>We have not yet determined a severity for this issue.</p> - </blockquote> + <p>Please reference CVE/URL list for details</p> </body> </description> <references> @@ -16400,409 +15925,115 @@ and CVE-2013-0155.</p> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/">; <h3>Summary</h3> <p>Weakness with cookie encryption</p> - <h3>Description</h3> - <p>A pair of vulnerabilities were found affecting the - way cookies are stored.</p> - <ul> - <li>The decryption of the username/password is - vulnerable to a padding oracle attack. The can allow - an attacker who has access to a user's browser cookie - file to decrypt the username and password.</li> - <li>A vulnerability was found where the same - initialization vector (IV) is used to hash the - username and password stored in the phpMyAdmin - cookie. If a user has the same password as their - username, an attacker who examines the browser cookie - can see that they are the but the attacker can not - directly decode these values from the cookie as it is - still hashed.</li> - </ul> - <h3>Severity</h3> - <p>We consider this to be critical.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/">; <h3>Summary</h3> <p>Multiple XSS vulnerabilities</p> - <h3>Description</h3> - <p>Multiple vulnerabilities have been discovered in the - following areas of phpMyAdmin:</p> - <ul> - <li>Zoom search: Specially crafted column content can - be used to trigger an XSS attack</li> - <li>GIS editor: Certain fields in the graphical GIS - editor at not properly escaped and can be used to - trigger an XSS attack</li> - <li>Relation view</li> - <li>The following Transformations: - <ul> - <li>Formatted</li> - <li>Imagelink</li> - <li>JPEG: Upload</li> - <li>RegexValidation</li> - <li>JPEG inline</li> - <li>PNG inline</li> - <li>transformation wrapper</li> - </ul> - </li> - <li>XML export</li> - <li>MediaWiki export</li> - <li>Designer</li> - <li>When the MySQL server is running with a - specially-crafted <code>log_bin</code> directive</li> - <li>Database tab</li> - <li>Replication feature</li> - <li>Database search</li> - </ul> - <h3>Severity</h3> - <p>We consider these vulnerabilities to be of - moderate severity.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/">; <h3>Summary</h3> <p>Multiple XSS vulnerabilities</p> - <h3>Description</h3> - <p>XSS vulnerabilities were discovered in:</p> - <ul> - <li>The database privilege check</li> - <li>The "Remove partitioning" functionality</li> - </ul> - <p>Specially crafted database names can trigger the XSS - attack.</p> - <h3>Severity</h3> - <p>We consider these vulnerabilities to be of moderate - severity.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/">; <h3>Summary</h3> <p>PHP code injection</p> - <h3>Description</h3> - <p>A vulnerability was found where a specially crafted - database name could be used to run arbitrary PHP - commands through the array export feature</p> - <h3>Severity</h3> - <p>We consider these vulnerabilities to be of - moderate severity.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/">; <h3>Summary</h3> <p>Full path disclosure</p> - <h3>Description</h3> - <p>A full path disclosure vulnerability was discovered - where a user can trigger a particular error in the - export mechanism to discover the full path of phpMyAdmin - on the disk.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be - non-critical.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/">; <h3>Summary</h3> <p>SQL injection attack</p> - <h3>Description</h3> - <p>A vulnerability was reported where a specially - crafted database and/or table name can be used to - trigger an SQL injection attack through the export - functionality.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/">; <h3>Summary</h3> <p>Local file exposure</p> - <h3>Description</h3> - <p>A vulnerability was discovered where a user can - exploit the LOAD LOCAL INFILE functionality to expose - files on the server to the database system.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/">; <h3>Summary</h3> <p>Local file exposure through symlinks with UploadDir</p> - <h3>Description</h3> - <p>A vulnerability was found where a user can - specially craft a symlink on disk, to a file which - phpMyAdmin is permitted to read but the user is not, - which phpMyAdmin will then expose to the user.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious, - however due to the mitigation factors the - default state is not vulnerable.</p> - <h3>Mitigation factor</h3> - <p>1) The installation must be run with UploadDir configured - (not the default) 2) The user must be able to create a - symlink in the UploadDir 3) The user running the phpMyAdmin - application must be able to read the file</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/">; <h3>Summary</h3> <p>Path traversal with SaveDir and UploadDir</p> - <h3>Description</h3> - <p>A vulnerability was reported with the <code>%u</code> - username replacement functionality of the SaveDir and - UploadDir features. When the username substitution is - configured, a specially-crafted user name can be used to - circumvent restrictions to traverse the file system.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious, - however due to the mitigation factors the default - state is not vulnerable.</p> - <h3>Mitigation factor</h3> - <p>1) A system must be configured with the %u username - replacement, such as `$cfg['SaveDir'] = - 'SaveDir_%u';` 2) The user must be able to create a - specially-crafted MySQL user, including the `/.` sequence of - characters, such as `/../../`</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/">; <h3>Summary</h3> <p>Multiple XSS vulnerabilities</p> - <h3>Description</h3> - <p>Multiple XSS vulnerabilities were found in the following - areas:</p> - <ul> - <li>Navigation pane and database/table hiding - feature. A specially-crafted database name can be used - to trigger an XSS attack.</li> - <li>The "Tracking" feature. A specially-crafted query - can be used to trigger an XSS attack.</li> - <li>GIS visualization feature. </li> - </ul> - <h3>Severity</h3> - <p>We consider this vulnerability to be non-critical.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/">; <h3>Summary</h3> <p>SQL injection attack</p> - <h3>Description</h3> - <p>A vulnerability was discovered in the following - features where a user can execute an SQL injection - attack against the account of the control user: - <em>User group</em> Designer</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious.</p> - <h3>Mitigation factor</h3> - <p>The server must have a control user account created in - MySQL and configured in phpMyAdmin; installations without a - control user are not vulnerable.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/">; <h3>Summary</h3> <p>SQL injection attack</p> - <h3>Description</h3> - <p>A vulnerability was reported where a specially - crafted database and/or table name can be used to - trigger an SQL injection attack through the export - functionality.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/">; <h3>Summary</h3> <p>Denial of service (DOS) attack in transformation feature</p> - <h3>Description</h3> - <p>A vulnerability was found in the transformation feature - allowing a user to trigger a denial-of-service (DOS) attack - against the server.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be non-critical</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/">; <h3>Summary</h3> <p>SQL injection attack as control user</p> - <h3>Description</h3> - <p>A vulnerability was discovered in the user interface - preference feature where a user can execute an SQL injection - attack against the account of the control user.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious.</p> - <h3>Mitigation factor</h3> - <p>The server must have a control user account created in - MySQL and configured in phpMyAdmin; installations without a - control user are not vulnerable.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/">; <h3>Summary</h3> <p>Unvalidated data passed to unserialize()</p> - <h3>Description</h3> - <p>A vulnerability was reported where some data is passed to - the PHP <code>unserialize()</code> function without - verification that it's valid serialized data.</p> - <p>Due to how the <a href="https://secure.php.net/unserialize">PHP function</a> - operates,</p> - <blockquote> - <p>Unserialization can result in code being loaded and - executed due to object instantiation and autoloading, and - a malicious user may be able to exploit this.</p> - </blockquote> - <p>Therefore, a malicious user may be able to manipulate the - stored data in a way to exploit this weakness.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be moderately - severe.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/">; <h3>Summary</h3> <p>DOS attack with forced persistent connections</p> - <h3>Description</h3> - <p>A vulnerability was discovered where an unauthenticated - user is able to execute a denial-of-service (DOS) attack by - forcing persistent connections when phpMyAdmin is running - with <code>$cfg['AllowArbitraryServer']=true;</code>.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be critical, although - note that phpMyAdmin is not vulnerable by default.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/">; <h3>Summary</h3> <p>Denial of service (DOS) attack by for loops</p> - <h3>Description</h3> - <p>A vulnerability has been reported where a malicious - authorized user can cause a denial-of-service (DOS) attack - on a server by passing large values to a loop.</p> - <h3>Severity</h3> - <p>We consider this issue to be of moderate severity.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/">; <h3>Summary</h3> <p>IPv6 and proxy server IP-based authentication rule circumvention</p> - <h3>Description</h3> - <p>A vulnerability was discovered where, under certain - circumstances, it may be possible to circumvent the - phpMyAdmin IP-based authentication rules.</p> - <p>When phpMyAdmin is used with IPv6 in a proxy server - environment, and the proxy server is in the allowed range - but the attacking computer is not allowed, this - vulnerability can allow the attacking computer to connect - despite the IP rules.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious</p> - <h3>Mitigation factor</h3> - <p>* The phpMyAdmin installation must be running with - IP-based allow/deny rules * The phpMyAdmin installation must - be running behind a proxy server (or proxy servers) where - the proxy server is "allowed" and the attacker is - "denied" * The connection between the proxy server - and phpMyAdmin must be via IPv6</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/">; <h3>Summary</h3> <p>Detect if user is logged in</p> - <h3>Description</h3> - <p>A vulnerability was reported where an attacker can - determine whether a user is logged in to phpMyAdmin.</p> - <p>The user's session, username, and password are not - compromised by this vulnerability.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be non-critical.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/">; <h3>Summary</h3> <p>Bypass URL redirect protection</p> - <h3>Description</h3> - <p>A vulnerability was discovered where an attacker could - redirect a user to a malicious web page.</p> - <h3>Severity</h3> - <p>We consider this to be of moderate severity</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/">; <h3>Summary</h3> <p>Referrer leak in url.php</p> - <h3>Description</h3> - <p>A vulnerability was discovered where an attacker can - determine the phpMyAdmin host location through the file - <code>url.php</code>.</p> - <h3>Severity</h3> - <p>We consider this to be of moderate severity.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/">; <h3>Summary</h3> <p>Reflected File Download attack</p> - <h3>Description</h3> - <p>A vulnerability was discovered where an attacker may be - able to trigger a user to download a specially crafted - malicious SVG file.</p> - <h3>Severity</h3> - <p>We consider this issue to be of moderate severity.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/">; <h3>Summary</h3> <p>ArbitraryServerRegexp bypass</p> - <h3>Description</h3> - <p>A vulnerability was reported with the - <code>$cfg['ArbitraryServerRegexp']</code> configuration - directive. An attacker could reuse certain cookie values in - a way of bypassing the servers defined by - <code>ArbitraryServerRegexp</code>.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be critical.</p> - <h3>Mitigation factor</h3> - <p>Only servers using - `$cfg['ArbitraryServerRegexp']` are vulnerable to - this attack.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/">; <h3>Summary</h3> <p>Denial of service (DOS) attack by changing password to a very long string</p> - <h3>Description</h3> - <p>An authenticated user can trigger a denial-of-service - (DOS) attack by entering a very long password at the change - password dialog.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be serious.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/">; <h3>Summary</h3> <p>Remote code execution vulnerability when run as CGI</p> - <h3>Description</h3> - <p>A vulnerability was discovered where a user can execute a - remote code execution attack against a server when - phpMyAdmin is being run as a CGI application. Under certain - server configurations, a user can pass a query string which - is executed as a command-line argument by the file - <code>generator_plugin.sh</code>.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be critical.</p> - <h3>Mitigation factor</h3> - <p>The file - `/libraries/plugins/transformations/generator_plugin.sh` may - be removed. Under certain server configurations, it may be - sufficient to remove execute permissions for this file.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/">; <h3>Summary</h3> <p>Denial of service (DOS) attack with dbase extension</p> - <h3>Description</h3> - <p>A flaw was discovered where, under certain conditions, - phpMyAdmin may not delete temporary files during the import - of ESRI files.</p> - <h3>Severity</h3> - <p>We consider this vulnerability to be non-critical.</p> - <h3>Mitigation factor</h3> - <p>This vulnerability only exists when PHP is running with - the dbase extension, which is not shipped by default, not - available in most Linux distributions, and doesn't - compile with PHP7.</p> </blockquote> <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/">; <h3>Summary</h3> <p>Remote code execution vulnerability when PHP is running with dbase extension</p> - <h3>Description</h3> - <p>A vulnerability was discovered where phpMyAdmin can be - used to trigger a remote code execution attack against - certain PHP installations. </p> - <h3>Severity</h3> - <p>We consider this vulnerability to be critical.</p> - <h3>Mitigation factor</h3> - <p>This vulnerability only exists when PHP is running with - the dbase extension, which is not shipped by default, not - available in most Linux distributions, and doesn't - compile with PHP7.</p> </blockquote> </body> </description> @@ -20782,199 +20013,7 @@ and CVE-2013-0155.</p> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>The phpMyAdmin development team reports:</p> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-17/">; - <h3>Summary</h3> - <p>BBCode injection vulnerability</p> - - <h3>Description</h3> - <p>A vulnerability was discovered that allows an BBCode - injection to setup script in case it's not accessed on - https.</p> - - <h3>Severity</h3> - <p>We consider this to be non-critical.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-18/">; - <h3>Summary</h3> - <p>Cookie attribute injection attack</p> - - <h3>Description</h3> - <p>A vulnerability was found where, under some - circumstances, an attacker can inject arbitrary values - in the browser cookies.</p> - - <h3>Severity</h3> - <p>We consider this to be non-critical.</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-19/">; - <h3>Summary</h3> - <p>SQL injection attack</p> - - <h3>Description</h3> - <p>A vulnerability was discovered that allows an SQL - injection attack to run arbitrary commands as the - control user.</p> - - <h3>Severity</h3> - <p>We consider this vulnerability to be serious</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-20/">; - <h3>Summary</h3> - <p>XSS on table structure page</p> - - <h3>Description</h3> - <p>An XSS vulnerability was discovered on the table - structure page</p> - - <h3>Severity</h3> - <p>We consider this to be a serious - vulnerability</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-21/">; - <h3>Summary</h3> - <p>Multiple XSS vulnerabilities</p> - - <h3>Description</h3> - <ul> - <li>An XSS vulnerability was discovered on the user - privileges page.</li> - <li>An XSS vulnerability was discovered in the error - console.</li> - <li>An XSS vulnerability was discovered in the central - columns feature.</li> - <li>An XSS vulnerability was discovered in the query - bookmarks feature.</li> - <li>An XSS vulnerability was discovered in the user groups - feature.</li> - </ul> - - <h3>Severity</h3> - <p>We consider this to be a serious vulnerability</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-22/">; - <h3>Summary</h3> - <p>DOS attack</p> - - <h3>Description</h3> - <p>A Denial Of Service (DOS) attack was discovered in - the way phpMyAdmin loads some JavaScript files.</p> - - <h3>Severity</h3> - <p>We consider this to be of moderate severity</p> - </blockquote> - <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-23/">; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201709291551.v8TFp8Ea019276>