From owner-svn-ports-head@freebsd.org Fri Sep 29 15:51:12 2017 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 418EDE2F706; Fri, 29 Sep 2017 15:51:12 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 956066AF8C; Fri, 29 Sep 2017 15:51:11 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v8TFpAr4019278; Fri, 29 Sep 2017 15:51:10 GMT (envelope-from zi@FreeBSD.org) Received: (from zi@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v8TFp8Ea019276; Fri, 29 Sep 2017 15:51:08 GMT (envelope-from zi@FreeBSD.org) Message-Id: <201709291551.v8TFp8Ea019276@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: zi set sender to zi@FreeBSD.org using -f From: Ryan Steinmetz Date: Fri, 29 Sep 2017 15:51:08 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r450906 - head/security/vuxml X-SVN-Group: ports-head X-SVN-Commit-Author: zi X-SVN-Commit-Paths: head/security/vuxml X-SVN-Commit-Revision: 450906 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2017 15:51:12 -0000 Author: zi Date: Fri Sep 29 15:51:08 2017 New Revision: 450906 URL: https://svnweb.freebsd.org/changeset/ports/450906 Log: - Condense entries whose description is >5000 characters Approved by: ports-secteam (with hat) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Sep 29 15:31:32 2017 (r450905) +++ head/security/vuxml/vuln.xml Fri Sep 29 15:51:08 2017 (r450906) @@ -2622,176 +2622,7 @@ Notes:

The Webkit gtk team reports:

-
CVE-2017-7006: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to David Kohlbrenner of UC San Diego, an anonymous - researcher.
- Impact: A malicious website may exfiltrate data cross-origin. - Description: Processing maliciously crafted web content may - allow cross-origin data to be exfiltrated by using SVG filters - to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.
- -
CVE-2017-7011: Versions affected: WebKitGTK+ before 2.16.3.
- Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).
- Impact: Visiting a malicious website may lead to address bar - spoofing. Description: A state management issue was addressed - with improved frame handling.
- -
CVE-2017-7012: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to Apple.
- Impact: Processing maliciously crafted web content may lead to - arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7018: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to lokihardt of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead to - arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7019: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to Zhiyang Zeng of Tencent Security Platform Department.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7020: Versions affected: WebKitGTK+ before 2.16.1.
- Credit to likemeng of Baidu Security Lab.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7030: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to chenqin of Ant-financial Light-Year Security Lab - (蚂蚁金服巴斯光年安全实验室).
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7034: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to chenqin of Ant-financial Light-Year Security Lab - (蚂蚁金服巴斯光年安全实验室).
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7037: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to lokihardt of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7038: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to Neil Jenkins of FastMail Pty Ltd, Egor Karbutov - (@ShikariSenpai) of Digital Security and Egor Saltykov - (@ansjdnakjdnajkd) of Digital Security.
- Impact: Processing maliciously crafted web content with - DOMParser may lead to cross site scripting. Description: - A logic issue existed in the handling of DOMParser. This - issue was addressed with improved state management.
- -
CVE-2017-7039: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7040: Versions affected: WebKitGTK+ before 2.16.3.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7041: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7042: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7043: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7046: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7048: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7049: Versions affected: WebKitGTK+ before 2.16.2.
- Credit to Ivan Fratric of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed through improved memory - handling.
- -
CVE-2017-7052: Versions affected: WebKitGTK+ before 2.16.4.
- Credit to cc working with Trend Micro’s Zero Day Initiative.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7055: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to The UK’s National Cyber Security Centre (NCSC).
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7056: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to lokihardt of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7059: Versions affected: WebKitGTK+ before 2.16.3.
- Credit to an anonymous researcher.
- Impact: Processing maliciously crafted web content with - DOMParser may lead to cross site scripting. Description: - A logic issue existed in the handling of DOMParser. This - issue was addressed with improved state management.
- -
CVE-2017-7061: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to lokihardt of Google Project Zero.
- Impact: Processing maliciously crafted web content may lead - to arbitrary code execution. Description: Multiple memory - corruption issues were addressed with improved memory - handling.
- -
CVE-2017-7064: Versions affected: WebKitGTK+ before 2.16.6.
- Credit to lokihardt of Google Project Zero.
- Impact: An application may be able to read restricted - memory. Description: A memory initialization issue was - addressed through improved memory handling.
+
Please reference CVE/URL list for details

@@ -4674,120 +4505,7 @@ maliciously crafted GET request to the Horde server.

-
-
CVE-2017-5506: Double free vulnerability in magick/profile.c in - ImageMagick allows remote attackers to have unspecified impact via - a crafted file.
-
CVE-2017-5507: Memory leak in coders/mpc.c in ImageMagick before - 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a - denial of service (memory consumption) via vectors involving a - pixel cache.
-
CVE-2017-5508: Heap-based buffer overflow in the - PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x - before 7.0.4-3 allows remote attackers to cause a denial of - service (application crash) via a crafted TIFF file.
-
CVE-2017-5509: coders/psd.c in ImageMagick allows remote - attackers to have unspecified impact via a crafted PSD file, which - triggers an out-of-bounds write.
-
CVE-2017-5510: coders/psd.c in ImageMagick allows remote - attackers to have unspecified impact via a crafted PSD file, which - triggers an out-of-bounds write.
-
CVE-2017-5511: coders/psd.c in ImageMagick allows remote - attackers to have unspecified impact by leveraging an improper - cast, which triggers a heap-based buffer overflow.
-
CVE-2017-6497: An issue was discovered in ImageMagick 6.9.7. - A specially crafted psd file could lead to a NULL pointer - dereference (thus, a DoS).
-
CVE-2017-6498: An issue was discovered in ImageMagick 6.9.7. - Incorrect TGA files could trigger assertion failures, thus leading - to DoS.
-
CVE-2017-6499: An issue was discovered in Magick++ in - ImageMagick 6.9.7. A specially crafted file creating a nested - exception could lead to a memory leak (thus, a DoS).
-
CVE-2017-6500: An issue was discovered in ImageMagick 6.9.7. - A specially crafted sun file triggers a heap-based - buffer over-read.
-
CVE-2017-6501: An issue was discovered in ImageMagick 6.9.7. - A specially crafted xcf file could lead to a NULL pointer - dereference.
-
CVE-2017-6502: An issue was discovered in ImageMagick 6.9.7. - A specially crafted webp file could lead to a file-descriptor - leak in libmagickcore (thus, a DoS).
-
CVE-2017-7275: The ReadPCXImage function in coders/pcx.c in - ImageMagick 7.0.4.9 allows remote attackers to cause a denial of - service (attempted large memory allocation and application crash) - via a crafted file. NOTE: this vulnerability exists because of an - incomplete fix for CVE-2016-8862 and CVE-2016-8866.
-
CVE-2017-7606: coders/rle.c in ImageMagick 7.0.5-4 has an - "outside the range of representable values of type unsigned char" - undefined behavior issue, which might allow remote attackers to - cause a denial of service (application crash) or possibly have - unspecified other impact via a crafted image.
-
CVE-2017-7619: In ImageMagick 7.0.4-9, an infinite loop can - occur because of a floating-point rounding error in some of the - color algorithms. This affects ModulateHSL, ModulateHCL, - ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, - ModulateLCHab, and ModulateLCHuv.
-
CVE-2017-7941: The ReadSGIImage function in sgi.c allows remote - attackers to consume an amount of available memory via a crafted - file.
-
CVE-2017-7942: The ReadAVSImage function in avs.c allows remote - attackers to consume an amount of available memory via a crafted - file.
-
CVE-2017-7943: The ReadSVGImage function in svg.c allows remote - attackers to consume an amount of available memory via a crafted - file.
-
CVE-2017-8343: ReadAAIImage function in aai.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8344: ReadPCXImage function in pcx.c allows attackers - to cause a denial of service (memory leak) via a crafted file. The - ReadMNGImage function in png.c allows attackers to cause a denial - of service (memory leak) via a crafted file.
-
CVE-2017-8345: ReadMNGImage function in png.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8346: ReadMATImage function in mat.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8347: ReadMATImage function in mat.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8348: ReadMATImage function in mat.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8349: ReadSFWImage function in sfw.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8350: ReadJNGImage function in png.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8351: ReadPCDImage function in pcd.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8352: ReadXWDImage function in xwd.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8353: ReadPICTImage function in pict.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8354: ReadBMPImage function in bmp.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8355: ReadMTVImage function in mtv.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8356: ReadSUNImage function in sun.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8357: ReadEPTImage function in ept.c allows attackers - to cause a denial of service (memory leak) via a crafted file.
-
CVE-2017-8765: The function named ReadICONImage in coders\icon.c - has a memory leak vulnerability which can cause memory exhaustion - via a crafted ICON file.
-
CVE-2017-8830: ReadBMPImage function in bmp.c:1379 allows - attackers to cause a denial of service (memory leak) via a crafted - file.
-
CVE-2017-9141: A crafted file could trigger an assertion failure - in the ResetImageProfileIterator function in MagickCore/profile.c - because of missing checks in the ReadDDSImage function in - coders/dds.c.
-
CVE-2017-9142: A crafted file could trigger an assertion failure - in the WriteBlob function in MagickCore/blob.c because of missing - checks in the ReadOneJNGImage function in coders/png.c.
-
CVE-2017-9143: ReadARTImage function in coders/art.c allows - attackers to cause a denial of service (memory leak) via a crafted - .art file.
-
CVE-2017-9144: A crafted RLE image can trigger a crash because - of incorrect EOF handling in coders/rle.c.
-
+
Please reference CVE/URL list for details

@@ -12689,200 +12407,7 @@ maliciously crafted GET request to the Horde server. -

The phpMyAdmin development team reports:

-
Summary
-
Open redirection
-
Description
-
A vulnerability was discovered where a user can be - tricked in to following a link leading to phpMyAdmin, - which after authentication redirects to another - malicious site.
-
The attacker must sniff the user's valid phpMyAdmin - token.
-
Severity
-
We consider this vulnerability to be of moderate - severity.
-

-
Summary
-
Unsafe generation of blowfish secret
-
Description
-
When the user does not specify a blowfish_secret key - for encrypting cookies, phpMyAdmin generates one at - runtime. A vulnerability was reported where the way this - value is created using a weak algorithm.
-
This could allow an attacker to determine the user's - blowfish_secret and potentially decrypt their - cookies.
-
Severity
-
We consider this vulnerability to be of moderate - severity.
-
Mitigation factor
-
This vulnerability only affects cookie - authentication and only when a user has not - defined a $cfg['blowfish_secret'] in - their config.inc.php
-

-
Summary
-
phpinfo information leak value of sensitive - (HttpOnly) cookies
-
Description
-
phpinfo (phpinfo.php) shows PHP information - including values of HttpOnly cookies.
-
Severity
-
We consider this vulnerability to be - non-critical.
-
Mitigation factor
-
phpinfo in disabled by default and needs - to be enabled explicitly.
-

-
Summary
-
Username deny rules bypass (AllowRoot & Others) - by using Null Byte
-
Description
-
It is possible to bypass AllowRoot restriction - ($cfg['Servers'][$i]['AllowRoot']) and deny rules - for username by using Null Byte in the username.
-
Severity
-
We consider this vulnerability to be - severe.
-

-
Summary
-
Username rule matching issues
-
Description
-
A vulnerability in username matching for the - allow/deny rules may result in wrong matches and - detection of the username in the rule due to - non-constant execution time.
-
Severity
-
We consider this vulnerability to be severe.
-

-
Summary
-
Bypass logout timeout
-
Description
-
With a crafted request parameter value it is possible - to bypass the logout timeout.
-
Severity
-
We consider this vulnerability to be of moderate - severity.
-

-
Summary
-
Multiple full path disclosure vulnerabilities
-
Description
-
By calling some scripts that are part of phpMyAdmin in an - unexpected way, it is possible to trigger phpMyAdmin to - display a PHP error message which contains the full path of - the directory where phpMyAdmin is installed. During an - execution timeout in the export functionality, the errors - containing the full path of the directory of phpMyAdmin is - written to the export file.
-
Severity
-
We consider these vulnerability to be - non-critical.
-

-
Summary
-
Multiple XSS vulnerabilities
-
Description
-
Several XSS vulnerabilities have been reported, including - an improper fix for PMASA-2016-10 and a weakness in a regular expression - using in some JavaScript processing.
-
Severity
-
We consider this vulnerability to be - non-critical.
-

-
Summary
-
Multiple DOS vulnerabilities
-
Description
-
With a crafted request parameter value it is possible - to initiate a denial of service attack in saved searches - feature.
-
With a crafted request parameter value it is possible - to initiate a denial of service attack in import - feature.
-
An unauthenticated user can execute a denial of - service attack when phpMyAdmin is running with - $cfg['AllowArbitraryServer']=true;.
-
Severity
-
We consider these vulnerabilities to be of - moderate severity.
-

-
Summary
-
Bypass white-list protection for URL redirection
-
Description
-
Due to the limitation in URL matching, it was - possible to bypass the URL white-list protection.
-
Severity
-
We consider this vulnerability to be of moderate - severity.
-

-
Summary
-
BBCode injection vulnerability
-
Description
-
With a crafted login request it is possible to inject - BBCode in the login page.
-
Severity
-
We consider this vulnerability to be severe.
-
Mitigation factor
-
This exploit requires phpMyAdmin to be configured - with the "cookie" auth_type; other - authentication methods are not affected.
-

-
Summary
-
DOS vulnerability in table partitioning
-
Description
-
With a very large request to table partitioning - function, it is possible to invoke a Denial of Service - (DOS) attack.
-
Severity
-
We consider this vulnerability to be of moderate - severity.
-

-
Summary
-
Multiple SQL injection vulnerabilities
-
Description
-
With a crafted username or a table name, it was possible - to inject SQL statements in the tracking functionality that - would run with the privileges of the control user. This - gives read and write access to the tables of the - configuration storage database, and if the control user has - the necessary privileges, read access to some tables of the - mysql database.
-
Severity
-
We consider these vulnerabilities to be serious.
-

-
Summary
-
Incorrect serialized string parsing
-
Description
-
Due to a bug in serialized string parsing, it was - possible to bypass the protection offered by - PMA_safeUnserialize() function.
-
Severity
-
We consider this vulnerability to be severe.
-

-
Summary
-
CSRF token not stripped from the URL
-
Description
-
When the arg_separator is different from its - default value of &, the token was not - properly stripped from the return URL of the preference - import action.
-
Severity
-
We have not yet determined a severity for this issue.
-

Please reference CVE/URL list for details

@@ -16400,409 +15925,115 @@ and CVE-2013-0155.

Summary

Weakness with cookie encryption
-
Description
-
A pair of vulnerabilities were found affecting the - way cookies are stored.
-
-
The decryption of the username/password is - vulnerable to a padding oracle attack. The can allow - an attacker who has access to a user's browser cookie - file to decrypt the username and password.
-
A vulnerability was found where the same - initialization vector (IV) is used to hash the - username and password stored in the phpMyAdmin - cookie. If a user has the same password as their - username, an attacker who examines the browser cookie - can see that they are the but the attacker can not - directly decode these values from the cookie as it is - still hashed.
-
-
Severity
-
We consider this to be critical.

Summary

Multiple XSS vulnerabilities
-
Description
-
Multiple vulnerabilities have been discovered in the - following areas of phpMyAdmin:
-
-
Zoom search: Specially crafted column content can - be used to trigger an XSS attack
-
GIS editor: Certain fields in the graphical GIS - editor at not properly escaped and can be used to - trigger an XSS attack
-
Relation view
-
The following Transformations: -
-
Formatted
-
Imagelink
-
JPEG: Upload
-
RegexValidation
-
JPEG inline
-
PNG inline
-
transformation wrapper
-
-
-
XML export
-
MediaWiki export
-
Designer
-
When the MySQL server is running with a - specially-crafted log_bin directive
-
Database tab
-
Replication feature
-
Database search
-
-
Severity
-
We consider these vulnerabilities to be of - moderate severity.

Summary

Multiple XSS vulnerabilities
-
Description
-
XSS vulnerabilities were discovered in:
-
-
The database privilege check
-
The "Remove partitioning" functionality
-
-
Specially crafted database names can trigger the XSS - attack.
-
Severity
-
We consider these vulnerabilities to be of moderate - severity.

Summary

PHP code injection
-
Description
-
A vulnerability was found where a specially crafted - database name could be used to run arbitrary PHP - commands through the array export feature
-
Severity
-
We consider these vulnerabilities to be of - moderate severity.

Summary

Full path disclosure
-
Description
-
A full path disclosure vulnerability was discovered - where a user can trigger a particular error in the - export mechanism to discover the full path of phpMyAdmin - on the disk.
-
Severity
-
We consider this vulnerability to be - non-critical.

Summary

SQL injection attack
-
Description
-
A vulnerability was reported where a specially - crafted database and/or table name can be used to - trigger an SQL injection attack through the export - functionality.
-
Severity
-
We consider this vulnerability to be serious

Summary

Local file exposure
-
Description
-
A vulnerability was discovered where a user can - exploit the LOAD LOCAL INFILE functionality to expose - files on the server to the database system.
-
Severity
-
We consider this vulnerability to be serious.

Summary

Local file exposure through symlinks with UploadDir
-
Description
-
A vulnerability was found where a user can - specially craft a symlink on disk, to a file which - phpMyAdmin is permitted to read but the user is not, - which phpMyAdmin will then expose to the user.
-
Severity
-
We consider this vulnerability to be serious, - however due to the mitigation factors the - default state is not vulnerable.
-
Mitigation factor
-
1) The installation must be run with UploadDir configured - (not the default) 2) The user must be able to create a - symlink in the UploadDir 3) The user running the phpMyAdmin - application must be able to read the file

Summary

Path traversal with SaveDir and UploadDir
-
Description
-
A vulnerability was reported with the %u - username replacement functionality of the SaveDir and - UploadDir features. When the username substitution is - configured, a specially-crafted user name can be used to - circumvent restrictions to traverse the file system.
-
Severity
-
We consider this vulnerability to be serious, - however due to the mitigation factors the default - state is not vulnerable.
-
Mitigation factor
-
1) A system must be configured with the %u username - replacement, such as `$cfg['SaveDir'] = - 'SaveDir_%u';` 2) The user must be able to create a - specially-crafted MySQL user, including the `/.` sequence of - characters, such as `/../../`

Summary

Multiple XSS vulnerabilities
-
Description
-
Multiple XSS vulnerabilities were found in the following - areas:
-
-
Navigation pane and database/table hiding - feature. A specially-crafted database name can be used - to trigger an XSS attack.
-
The "Tracking" feature. A specially-crafted query - can be used to trigger an XSS attack.
-
GIS visualization feature.
-
-
Severity
-
We consider this vulnerability to be non-critical.

Summary

SQL injection attack
-
Description
-
A vulnerability was discovered in the following - features where a user can execute an SQL injection - attack against the account of the control user: - User group Designer
-
Severity
-
We consider this vulnerability to be serious.
-
Mitigation factor
-
The server must have a control user account created in - MySQL and configured in phpMyAdmin; installations without a - control user are not vulnerable.

Summary

SQL injection attack
-
Description
-
A vulnerability was reported where a specially - crafted database and/or table name can be used to - trigger an SQL injection attack through the export - functionality.
-
Severity
-
We consider this vulnerability to be serious

Summary

Denial of service (DOS) attack in transformation feature
-
Description
-
A vulnerability was found in the transformation feature - allowing a user to trigger a denial-of-service (DOS) attack - against the server.
-
Severity
-
We consider this vulnerability to be non-critical

Summary

SQL injection attack as control user
-
Description
-
A vulnerability was discovered in the user interface - preference feature where a user can execute an SQL injection - attack against the account of the control user.
-
Severity
-
We consider this vulnerability to be serious.
-
Mitigation factor
-
The server must have a control user account created in - MySQL and configured in phpMyAdmin; installations without a - control user are not vulnerable.

Summary

Unvalidated data passed to unserialize()
-
Description
-
A vulnerability was reported where some data is passed to - the PHP unserialize() function without - verification that it's valid serialized data.
-
Due to how the PHP function - operates,
-
-
Unserialization can result in code being loaded and - executed due to object instantiation and autoloading, and - a malicious user may be able to exploit this.
-
-
Therefore, a malicious user may be able to manipulate the - stored data in a way to exploit this weakness.
-
Severity
-
We consider this vulnerability to be moderately - severe.

Summary

DOS attack with forced persistent connections
-
Description
-
A vulnerability was discovered where an unauthenticated - user is able to execute a denial-of-service (DOS) attack by - forcing persistent connections when phpMyAdmin is running - with $cfg['AllowArbitraryServer']=true;.
-
Severity
-
We consider this vulnerability to be critical, although - note that phpMyAdmin is not vulnerable by default.

Summary

Denial of service (DOS) attack by for loops
-
Description
-
A vulnerability has been reported where a malicious - authorized user can cause a denial-of-service (DOS) attack - on a server by passing large values to a loop.
-
Severity
-
We consider this issue to be of moderate severity.

Summary

IPv6 and proxy server IP-based authentication rule circumvention
-
Description
-
A vulnerability was discovered where, under certain - circumstances, it may be possible to circumvent the - phpMyAdmin IP-based authentication rules.
-
When phpMyAdmin is used with IPv6 in a proxy server - environment, and the proxy server is in the allowed range - but the attacking computer is not allowed, this - vulnerability can allow the attacking computer to connect - despite the IP rules.
-
Severity
-
We consider this vulnerability to be serious
-
Mitigation factor
-
* The phpMyAdmin installation must be running with - IP-based allow/deny rules * The phpMyAdmin installation must - be running behind a proxy server (or proxy servers) where - the proxy server is "allowed" and the attacker is - "denied" * The connection between the proxy server - and phpMyAdmin must be via IPv6

Summary

Detect if user is logged in
-
Description
-
A vulnerability was reported where an attacker can - determine whether a user is logged in to phpMyAdmin.
-
The user's session, username, and password are not - compromised by this vulnerability.
-
Severity
-
We consider this vulnerability to be non-critical.

Summary

Bypass URL redirect protection
-
Description
-
A vulnerability was discovered where an attacker could - redirect a user to a malicious web page.
-
Severity
-
We consider this to be of moderate severity

Summary

Referrer leak in url.php
-
Description
-
A vulnerability was discovered where an attacker can - determine the phpMyAdmin host location through the file - url.php.
-
Severity
-
We consider this to be of moderate severity.

Summary

Reflected File Download attack
-
Description
-
A vulnerability was discovered where an attacker may be - able to trigger a user to download a specially crafted - malicious SVG file.
-
Severity
-
We consider this issue to be of moderate severity.

Summary

ArbitraryServerRegexp bypass
-
Description
-
A vulnerability was reported with the - $cfg['ArbitraryServerRegexp'] configuration - directive. An attacker could reuse certain cookie values in - a way of bypassing the servers defined by - ArbitraryServerRegexp.
-
Severity
-
We consider this vulnerability to be critical.
-
Mitigation factor
-
Only servers using - `$cfg['ArbitraryServerRegexp']` are vulnerable to - this attack.

Summary

Denial of service (DOS) attack by changing password to a very long string
-
Description
-
An authenticated user can trigger a denial-of-service - (DOS) attack by entering a very long password at the change - password dialog.
-
Severity
-
We consider this vulnerability to be serious.

Summary

Remote code execution vulnerability when run as CGI
-
Description
-
A vulnerability was discovered where a user can execute a - remote code execution attack against a server when - phpMyAdmin is being run as a CGI application. Under certain - server configurations, a user can pass a query string which - is executed as a command-line argument by the file - generator_plugin.sh.
-
Severity
-
We consider this vulnerability to be critical.
-
Mitigation factor
-
The file - `/libraries/plugins/transformations/generator_plugin.sh` may - be removed. Under certain server configurations, it may be - sufficient to remove execute permissions for this file.

Summary

Denial of service (DOS) attack with dbase extension
-
Description
-
A flaw was discovered where, under certain conditions, - phpMyAdmin may not delete temporary files during the import - of ESRI files.
-
Severity
-
We consider this vulnerability to be non-critical.
-
Mitigation factor
-
This vulnerability only exists when PHP is running with - the dbase extension, which is not shipped by default, not - available in most Linux distributions, and doesn't - compile with PHP7.

Summary

Remote code execution vulnerability when PHP is running with dbase extension
-
Description
-
A vulnerability was discovered where phpMyAdmin can be - used to trigger a remote code execution attack against - certain PHP installations.
-
Severity
-
We consider this vulnerability to be critical.
-
Mitigation factor
-
This vulnerability only exists when PHP is running with - the dbase extension, which is not shipped by default, not - available in most Linux distributions, and doesn't - compile with PHP7.

@@ -20782,199 +20013,7 @@ and CVE-2013-0155.

The phpMyAdmin development team reports:

-
Summary
-
BBCode injection vulnerability
- -
Description
-
A vulnerability was discovered that allows an BBCode - injection to setup script in case it's not accessed on - https.
- -
Severity
-
We consider this to be non-critical.
-

-
Summary
-
Cookie attribute injection attack
- -
Description
-
A vulnerability was found where, under some - circumstances, an attacker can inject arbitrary values - in the browser cookies.
- -
Severity
-
We consider this to be non-critical.
-

-
Summary
-
SQL injection attack
- -
Description
-
A vulnerability was discovered that allows an SQL - injection attack to run arbitrary commands as the - control user.
- -
Severity
-
We consider this vulnerability to be serious
-

-
Summary
-
XSS on table structure page
- -
Description
-
An XSS vulnerability was discovered on the table - structure page
- -
Severity
-
We consider this to be a serious - vulnerability
-

-
Summary
-
Multiple XSS vulnerabilities
- -
Description
-
-
An XSS vulnerability was discovered on the user - privileges page.
-
An XSS vulnerability was discovered in the error - console.
-
An XSS vulnerability was discovered in the central - columns feature.
-
An XSS vulnerability was discovered in the query - bookmarks feature.
-
An XSS vulnerability was discovered in the user groups - feature.
-
- -
Severity
-
We consider this to be a serious vulnerability
-

-
Summary
-
DOS attack
- -
Description
-
A Denial Of Service (DOS) attack was discovered in - the way phpMyAdmin loads some JavaScript files.
- -
Severity
-
We consider this to be of moderate severity
-

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***