Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page.

Versions of phpMyAdmin earlier than 4.0.10.1, 4.1.14.2, or 4.2.6 are unpatched for the following vulnerabilities :

  - The 'TABLE_COMMENT' parameter input is not being validated in the script 'libraries/structure.lib.php' and could allow cross-site scripting attacks. Note that this issue affects the 4.2.x branch. (CVE-2014-4954)

  - The 'trigger' parameter input is not being validated in the script 'libraries/rte/rte_list.lib.php' and could allow cross-site scripting attacks. (CVE-2014-4955)

  - The 'table' and 'curr_column_name' parameter inputs are not being validated in the scripts 'js/functions.js' and 'js/tbl_structure.js' respectively and could allow cross-site scripting attacks. (CVE-2014-4986)

  - The script 'server_user_groups.php' contains an error that could allow a remote attacker to obtain the MySQL user list and possibly make changes to the application display. Note this issue only affects the 4.1.x and 4.2.x branches. (CVE-2014-4987)

This phpMyAdmin update addresses several security and non security issues :

  - This is a phpMyAdmin version upgrade (bnc#892401): (From     4.1.14.3) :

  - sf#4501 [security] XSS in table browse page     (CVE-2014-5273)

  - sf#4502 [security] Self-XSS in enum value editor     (CVE-2014-5273)

  - sf#4503 [security] Self-XSSes in monitor (CVE-2014-5273)

  - sf#4505 [security] XSS in view operations page     (CVE-2014-5274)

  - sf#4504 [security] Self-XSS in query     charts&#9;(CVE-2014-5273)

  - sf#4517 [security] XSS in relation view (CVE-2014-5273)     (From 4.1.14.2) :

  - sf#4488 [security] XSS injection due to unescaped table     name (triggers)(CVE-2014-4955)

  - sf#4492 [security] XSS in AJAX confirmation messages     (CVE-2014-4986)

  - sf#4491 [security] Missing validation for accessing User     groups feature (CVE-2014-4987) (From 4.1.14.1) :

  - sf#4464 [security] XSS injection due to unescaped     db/table name in navigation hiding (CVE-2014-4349) (From     4.1.14.0 through 4.1.9.0) :

  - Numerous non-security bugfixes are listed at     https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_     14/ChangeLog

Multiple vulnerabilities has been discovered and corrected in phpmyadmin :

Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page (CVE-2014-4954).

Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page (CVE-2014-4955).

Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message (CVE-2014-4986).

server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request (CVE-2014-4987).

This upgrade provides the latest phpmyadmin version (4.2.6) to address these vulnerabilities.

According to its self-reported version number, the phpMyAdmin install hosted on the remote web server is 4.0.x prior to 4.0.10.1, 4.1.x prior to 4.1.14.2, or 4.2.x prior to 4.2.6. It is, therefore, affected by the following vulnerabilities :

  - The 'TABLE_COMMENT' parameter input is not being     validated in the script 'libraries/structure.lib.php'     and could allow cross-site scripting attacks. Note that     this issue affects the 4.2.x branch. (CVE-2014-4954)

  - The 'trigger' parameter input is not being validated in     the script 'libraries/rte/rte_list.lib.php' and could     allow cross-site scripting attacks. (CVE-2014-4955)

  - The 'table' and 'curr_column_name' parameter inputs are     not being validated in the scripts 'js/functions.js'     and 'js/tbl_structure.js' respectively and could allow     cross-site scripting attacks. (CVE-2014-4986)

  - The script 'server_user_groups.php' contains an error     that could allow a remote attacker to obtain the MySQL     user list and possibly make changes to the application     display. Note this issue only affects the 4.1.x and     4.2.x branches. (CVE-2014-4987)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The phpMyAdmin development team reports :

Self-XSS due to unescaped HTML output in database structure page.

With a crafted table comment, it is possible to trigger an XSS in database structure page.

Self-XSS due to unescaped HTML output in database triggers page.

When navigating into the database triggers page, it is possible to trigger an XSS with a crafted trigger name.

Multiple XSS in AJAX confirmation messages.

With a crafted column name it is possible to trigger an XSS when dropping the column in table structure page. With a crafted table name it is possible to trigger an XSS when dropping or truncating the table in table operations page.

Access for an unprivileged user to MySQL user list.

An unpriviledged user could view the MySQL user list and manipulate the tabs displayed in phpMyAdmin for them.

ID	Name	Product	Family	Severity
8377	phpMyAdmin 4.0.x < 4.0.10.1 / 4.1.x < 4.1.14.2 / 4.2.x < 4.2.6 Multiple Vulnerabilities (PMASA-2014-4 through PMASA-2014-7)	Nessus Network Monitor	CGI	medium
77432	openSUSE Security Update : phpMyAdmin (openSUSE-SU-2014:1069-1)	Nessus	SuSE Local Security Checks	medium
76924	Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2014:143)	Nessus	Mandriva Local Security Checks	medium
76915	phpMyAdmin 4.0.x < 4.0.10.1 / 4.1.x < 4.1.14.2 / 4.2.x < 4.2.6 Multiple Vulnerabilities (PMASA-2014-4 - PMASA-2014-7)	Nessus	CGI abuses	medium
76600	FreeBSD : phpMyAdmin -- multiple XSS vulnerabilities, missing validation (3f09ca29-0e48-11e4-b17a-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2014-4955

medium

Tenable Plugins

medium

medium

medium

medium

medium