libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.

Versions of phpMyAdmin 4.0.x prior to 4.0.10.9, 4.2.x prior to 4.2.13.2, or 4.3.x prior to 4.3.11.1 are unpatched for an information disclosure vulnerability due to the length of compressed HTTPS responses not being hidden. This allows a remote attacker, using a series of crafted requests, to obtain the CSRF token via a BREACH attack.

Several issues have been fixed in phpMyAdmin, the web administration tool for MySQL.

  - CVE-2014-8958 (Wheezy only)     Multiple cross-site scripting (XSS) vulnerabilities.

  - CVE-2014-9218 (Wheezy only)     Denial of service (resource consumption) via a long     password.

  - CVE-2015-2206     Risk of BREACH attack due to reflected parameter.

  - CVE-2015-3902     XSRF/CSRF vulnerability in phpMyAdmin setup.

  - CVE-2015-3903 (Jessie only)     Vulnerability allowing man-in-the-middle attack on API     call to GitHub.

  - CVE-2015-6830 (Jessie only)     Vulnerability that allows bypassing the reCaptcha test.

  - CVE-2015-7873 (Jessie only)     Content spoofing vulnerability when redirecting user to     an external site.

Several issues have been fixed in phpMyAdmin, the web administration tool for MySQL.

CVE-2014-8958

Multiple cross-site scripting (XSS) vulnerabilities.

CVE-2014-9218

Denial of service (resource consumption) via a long password.

CVE-2015-2206

Risk of BREACH attack due to reflected parameter.

CVE-2015-3902

XSRF/CSRF vulnerability in phpMyAdmin setup.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

phpMyAdmin was updated to 4.2.13.3 to fix three security issues.

The following vulnerabilities were fixed :

  - CVE-2015-3902: CSRF vulnerability in setup     (PMASA-2015-2, boo#930992)

  - CVE-2015-3903: Vulnerability allowing man-in-the-middle     attack (PMASA-2015-3, boo#930993)

  - CVE-2015-2206: Risk of BREACH attack (PMASA-2015-1,     boo#920773)

Also contains all upstream bug fixes in the 4.2.13 branch.

A vulnerability has been discovered and corrected in phpmyadmin :

libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests (CVE-2015-2206).

This upgrade provides the latest phpmyadmin version (4.2.13.2) to address this vulnerability.

Additionally, the phpseclib package has been upgraded to the 0.3.10 version.

phpMyAdmin 4.3.11.1 (2015-03-04) ================================

  - [security] Risk of BREACH attack, see PMASA-2015-1

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.9, 4.2.x prior to 4.2.13.2, or 4.3.x prior to 4.3.11.1. It is, therefore, affected by an information disclosure vulnerability due to the length of compressed HTTPS responses not being hidden. This allows a remote attacker, using a series of crafted requests, to obtain the CSRF token via a BREACH attack.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The phpMyAdmin development team reports :

Risk of BREACH attack due to reflected parameter.

With a large number of crafted requests it was possible to infer the CSRF token by a BREACH attack.

Mitigation factor: this vulnerability can only be exploited in the presence of another vulnerability that allows the attacker to inject JavaScript into victim's browser.

ID	Name	Product	Family	Severity
9103	phpMyAdmin 4.0.x < 4.0.10.9 / 4.2.x < 4.2.13.2 / 4.3.x < 4.3.11.1 Information Disclosure Vulnerability (PMASA-2015-1)	Nessus Network Monitor	CGI	medium
86665	Debian DSA-3382-1 : phpmyadmin - security update	Nessus	Debian Local Security Checks	medium
86641	Debian DLA-336-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	medium
84533	openSUSE Security Update : phpMyAdmin (openSUSE-2015-466)	Nessus	SuSE Local Security Checks	medium
82486	Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2015:186)	Nessus	Mandriva Local Security Checks	medium
81860	Fedora 21 : phpMyAdmin-4.3.11.1-1.fc21 (2015-3336)	Nessus	Fedora Local Security Checks	medium
81859	Fedora 20 : phpMyAdmin-4.3.11.1-1.fc20 (2015-3329)	Nessus	Fedora Local Security Checks	medium
81818	phpMyAdmin 4.0.x < 4.0.10.9 / 4.2.x < 4.2.13.2 / 4.3.x < 4.3.11.1 Information Disclosure Vulnerability (PMASA-2015-1)	Nessus	CGI abuses	medium
81718	Fedora 22 : phpMyAdmin-4.3.11.1-1.fc22 (2015-3287)	Nessus	Fedora Local Security Checks	medium
81683	FreeBSD : phpMyAdmin -- Risk of BREACH attack due to reflected parameter (81b4c118-c586-11e4-8495-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2015-2206

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium