From owner-svn-ports-all@freebsd.org Fri Nov 25 08:16:37 2016 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E638FC54F6A; Fri, 25 Nov 2016 08:16:37 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A65E632E; Fri, 25 Nov 2016 08:16:37 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAP8Gaqa007714; Fri, 25 Nov 2016 08:16:36 GMT (envelope-from matthew@FreeBSD.org) Received: (from matthew@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAP8GaT8007712; Fri, 25 Nov 2016 08:16:36 GMT (envelope-from matthew@FreeBSD.org) Message-Id: <201611250816.uAP8GaT8007712@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: matthew set sender to matthew@FreeBSD.org using -f From: Matthew Seaman Date: Fri, 25 Nov 2016 08:16:36 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r427083 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Nov 2016 08:16:38 -0000 Author: matthew Date: Fri Nov 25 08:16:36 2016 New Revision: 427083 URL: https://svnweb.freebsd.org/changeset/ports/427083 Log: Document the latest batch of phpMyAdmin security advisories. All 14 of them. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Nov 25 07:47:11 2016 (r427082) +++ head/security/vuxml/vuln.xml Fri Nov 25 08:16:36 2016 (r427083) @@ -58,6 +58,238 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + phpMyAdmin -- multiple vulnerabilities + + + phpMyAdmin + 4.6.04.6.5 + + + + +

The phpMYAdmin development team reports:

+
+

Summary

+

Open redirection

+

Description

+

A vulnerability was discovered where a user can be + tricked in to following a link leading to phpMyAdmin, + which after authentication redirects to another + malicious site.

+

The attacker must sniff the user's valid phpMyAdmin + token.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

Unsafe generation of blowfish secret

+

Description

+

When the user does not specify a blowfish_secret key + for encrypting cookies, phpMyAdmin generates one at + runtime. A vulnerability was reported where the way this + value is created using a weak algorithm.

+

This could allow an attacker to determine the user's + blowfish_secret and potentially decrypt their + cookies.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+

Mitigation factor

+

This vulnerability only affects cookie + authentication and only when a user has not + defined a $cfg['blowfish_secret'] in + their config.inc.php

+
+
+

Summary

+

phpinfo information leak value of sensitive + (HttpOnly) cookies

+

Description

+

phpinfo (phpinfo.php) shows PHP information + including values of HttpOnly cookies.

+

Severity

+

We consider this vulnerability to be + non-critical.

+

Mitigation factor

+

phpinfo in disabled by default and needs + to be enabled explicitly.

+
+
+

Summary

+

Username deny rules bypass (AllowRoot & Others) + by using Null Byte

+

Description

+

It is possible to bypass AllowRoot restriction + ($cfg['Servers'][$i]['AllowRoot']) and deny rules + for username by using Null Byte in the username.

+

Severity

+

We consider this vulnerability to be + severe.

+
+
+

Summary

+

Username rule matching issues

+

Description

+

A vulnerability in username matching for the + allow/deny rules may result in wrong matches and + detection of the username in the rule due to + non-constant execution time.

+

Severity

+

We consider this vulnerability to be severe.

+
+
+

Summary

+

Bypass logout timeout

+

Description

+

With a crafted request parameter value it is possible + to bypass the logout timeout.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

Multiple full path disclosure vulnerabilities

+

Description

+

By calling some scripts that are part of phpMyAdmin in an + unexpected way, it is possible to trigger phpMyAdmin to + display a PHP error message which contains the full path of + the directory where phpMyAdmin is installed. During an + execution timeout in the export functionality, the errors + containing the full path of the directory of phpMyAdmin is + written to the export file.

+

Severity

+

We consider these vulnerability to be + non-critical.

+
+
+

Summary

+

Multiple XSS vulnerabilities

+

Description

+

Several XSS vulnerabilities have been reported, including + an improper fix for PMASA-2016-10 and a weakness in a regular expression + using in some JavaScript processing.

+

Severity

+

We consider this vulnerability to be + non-critical.

+
+
+

Summary

+

Multiple DOS vulnerabilities

+

Description

+

With a crafted request parameter value it is possible + to initiate a denial of service attack in saved searches + feature.

+

With a crafted request parameter value it is possible + to initiate a denial of service attack in import + feature.

+

An unauthenticated user can execute a denial of + service attack when phpMyAdmin is running with + $cfg['AllowArbitraryServer']=true;.

+

Severity

+

We consider these vulnerabilities to be of + moderate severity.

+
+
+

Summary

+

Bypass white-list protection for URL redirection

+

Description

+

Due to the limitation in URL matching, it was + possible to bypass the URL white-list protection.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

BBCode injection vulnerability

+

Description

+

With a crafted login request it is possible to inject + BBCode in the login page.

+

Severity

+

We consider this vulnerability to be severe.

+

Mitigation factor

+

This exploit requires phpMyAdmin to be configured + with the "cookie" auth_type; other + authentication methods are not affected.

+
+
+

Summary

+

DOS vulnerability in table partitioning

+

Description

+

With a very large request to table partitioning + function, it is possible to invoke a Denial of Service + (DOS) attack.

+

Severity

+

We consider this vulnerability to be of moderate + severity.

+
+
+

Summary

+

Multiple SQL injection vulnerabilities

+

Description

+

With a crafted username or a table name, it was possible + to inject SQL statements in the tracking functionality that + would run with the privileges of the control user. This + gives read and write access to the tables of the + configuration storage database, and if the control user has + the necessary privileges, read access to some tables of the + mysql database.

+

Severity

+

We consider these vulnerabilities to be serious.

+
+
+

Summary

+

Incorrect serialized string parsing

+

Description

+

Due to a bug in serialized string parsing, it was + possible to bypass the protection offered by + PMA_safeUnserialize() function.

+

Severity

+

We consider this vulnerability to be severe.

+
+
+

Summary

+

CSRF token not stripped from the URL

+

Description

+

When the arg_separator is different from its + default value of &, the token was not + properly stripped from the return URL of the preference + import action.

+

Severity

+

We have not yet determined a severity for this issue.

+
+ + + + https://www.phpmyadmin.net/security/PMASA-2016-57/ + https://www.phpmyadmin.net/security/PMASA-2016-58/ + https://www.phpmyadmin.net/security/PMASA-2016-59/ + https://www.phpmyadmin.net/security/PMASA-2016-60/ + https://www.phpmyadmin.net/security/PMASA-2016-61/ + https://www.phpmyadmin.net/security/PMASA-2016-62/ + https://www.phpmyadmin.net/security/PMASA-2016-63/ + https://www.phpmyadmin.net/security/PMASA-2016-64/ + https://www.phpmyadmin.net/security/PMASA-2016-65/ + https://www.phpmyadmin.net/security/PMASA-2016-66/ + https://www.phpmyadmin.net/security/PMASA-2016-67/ + https://www.phpmyadmin.net/security/PMASA-2016-68/ + https://www.phpmyadmin.net/security/PMASA-2016-69/ + https://www.phpmyadmin.net/security/PMASA-2016-70/ + https://www.phpmyadmin.net/security/PMASA-2016-71/ + CVE-2016-6632 + CVE-2016-6633 + CVE-2016-4412 + + + 2016-11-25 + 2016-11-25 + + + Remote-Code-Execution vulnerability in mysql and its variants CVE 2016-6662