The setup script for phpMyAdmin before 4.0.10.19, 4.4.x before 4.4.15.10, and 4.6.x before 4.6.6 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.

Several vulnerabilities were found in phpMyAdmin, the web-based MySQL administration interface, including SQL injection attacks, denial of service, arbitrary code execution, cross-site scripting, server-side request forgery, authentication bypass, and file system traversal.

For Debian 8 'Jessie', these problems have been fixed in version 4:4.2.12-2+deb8u3.

We recommend that you upgrade your phpmyadmin packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A server-side request forgery vulnerability was reported for the setup script in phpmyadmin, a MYSQL web administration tool. This flaw may allow an unauthenticated attacker to brute-force MYSQL passwords, detect internal hostnames or opened ports on the internal network.
Additionally there was a race condition between writing configuration and administrator moving it allowing unauthenticated users to read or alter it. Debian users who configured phpmyadmin via debconf and used the default configuration for Apache 2 or Lighttpd were never affected.

For Debian 7 'Wheezy', these problems have been fixed in version 4:3.4.11.1-2+deb7u8.

We recommend that you upgrade your phpmyadmin packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update to phpMyAdmin 4.4.15.10 fixes the following security issues :

  - CVE-2016-6621: Multiple vulnerabilities in setup script     (PMASA-2016-44)

  - Open redirect (PMASA-2017-1)

  - CVE-2015-8980: php-gettext code execution (PMASA-2017-2)

  - DOS vulnerability in table editing (PMASA-2017-3)

  - CSS injection in themes (PMASA-2017-4)

  - SSRF in replication (PMASA-2017-6)

  - DOS in replication status (PMASA-2017-7)

Versions of phpMyAdmin 4.0.10.x prior to 4.0.10.18, 4.4.15.x prior to 4.4.15.9, and 4.6.x prior to 4.6.5 are unpatched, and therefore affected by the following vulnerabilities :

 - A flaw exists in 'blowfish_secret' that is triggered as key values are created using an insecure algorithm. This may allow a context-dependent attacker to potentially decrypt cookies and steal sensitive information.
 - A flaw exists in the 'phpinfo.php' script that is due to the script exposing the values of HttpOnly cookies. This may allow a remote attacker to gain access to potentially sensitive information.
 - A flaw exists in the 'libraries/plugins/auth/AuthenticationCookie.php' script that is triggered when handling NULL bytes in usernames. This may allow a remote attacker to bypass "$cfg['Servers'][$i]['AllowRoot']" AllowRoot restrictions.
 - A flaw exists in the 'libraries/ip_allow_deny.lib.php' script that is triggered by non-constant execution time during username matching. This may allow a remote attacker to bypass allow / deny rules.
 - A flaw exists that is triggered when handling input supplied via the 'last_access_time' parameter. This may allow a remote attacker to bypass the logout timeout feature.
 - A flaw exists in the 'libraries/VersionInformation.php' script related to the 'fopen' wrapper. This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
 - A flaw exists in 'libraries/VersionInformation.php' related to the 'curl' wrapper. This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
 - A flaw exists in the 'setCriterias()' function in 'libraries/SavedSearches.class.php' that is triggered as input passed via certain parameters is not properly sanitized in the saved search functionality. This may allow an authenticated remote attacker to cause a denial of service.
 - A flaw exists in the 'import.php' script that is triggered as input passed via the skip value is not properly sanitized. This may allow an authenticated remote attacker to cause a denial of service.
 - A flaw exists in the 'hash_hmac()' function in 'libraries/core.lib.php' that is triggered during the handling of MySQL host names. This may allow a remote attacker to cause a denial of service attack.
 - A flaw exists in the 'PMA_linkURL()' function in 'libraries/core.lib.php' that is due to a limitation in URL matching. This may allow a remote attacker to bypass URL whitelist protection mechanisms.
 - A flaw exists in the 'getErrorMessage()' function in 'libraries/plugins/AuthenticationPlugin.php' that is triggered during the handling of a specially crafted login request. This may allow a remote attacker to inject BBCode in the login page.
 - A flaw exists in the 'libraries/tbl_partition_definition.inc.php' script that is triggered during the handling of a very large request to table partitioning function. This may allow an authenticated remote attacker to cause a denial of service.
 - A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'isTracked()' function in the 'libraries/Tracker.class.php' script not properly sanitizing input to the 'user' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 - A flaw exists that may allow carrying out a SQL injection attack. The issue is due to the 'PMA_exportAsFileDownload()' function in the 'libraries/tracking.lib.php' script not properly sanitizing input to the 'table' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 - A flaw exists in the 'PMA_safeUnserialize()' function in 'libraries/core.lib.php' that is triggered during the parsing of serialized strings. This may allow a remote attacker to bypass unserialization protection mechanisms.
 - A flaw exists in the 'prefs_manage.php' script that is triggered as the CSRF tokens are not properly stripped from return URLs of the preference import action when 'arg_separator' differs from its default value. This may allow a context-dependent attacker to potentially disclose token information.
 - A flaw exists that allows multiple cross-site scripting (XSS) attacks. This flaw exists because the program does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

This phpMyAdmin update to version 4.4.15.8 fixes the following issues :

Security issues fixed :

  - Improve session cookie code for openid.php and     signon.php example files

  - Full path disclosure in openid.php and signon.php     example files

  - Unsafe generation of BlowfishSecret (when not supplied     by the user)

  - Referrer leak when phpinfo is enabled

  - Use HTTPS for wiki links

  - Improve SSL certificate handling

  - Fix full path disclosure in debugging code

  - Administrators could trigger SQL injection attack     against users

  - Weaknesses with cookie encryption see PMASA-2016-29     (CVE-2016-6606, CWE-661)

  - Multiple XSS vulnerabilities see PMASA-2016-30     (CVE-2016-6607, CWE-661)

  - Multiple XSS vulnerabilities see PMASA-2016-31     (CVE-2016-6608, CWE-661)

  - PHP code injection see PMASA-2016-32 (CVE-2016-6609,     CWE-661)

  - Full path disclosure see PMASA-2016-33 (CVE-2016-6610,     CWE-661)

  - SQL injection attack see PMASA-2016-34 (CVE-2016-6611,     CWE-661)

  - Local file exposure through LOAD DATA LOCAL INFILE see     PMASA-2016-35 (CVE-2016-6612, CWE-661)

  - Local file exposure through symlinks with UploadDir see     PMASA-2016-36 (CVE-2016-6613, CWE-661)

  - Path traversal with SaveDir and UploadDir see     PMASA-2016-37 (CVE-2016-6614, CWE-661)

  - Multiple XSS vulnerabilities see PMASA-2016-38     (CVE-2016-6615, CWE-661)

  - SQL injection vulnerability as control user see     PMASA-2016-39 (CVE-2016-6616, CWE-661)

  - SQL injection vulnerability see PMASA-2016-40     (CVE-2016-6617, CWE-661)

  - Denial-of-service attack through transformation feature     see PMASA-2016-41 (CVE-2016-6618, CWE-661)

  - SQL injection vulnerability as control user see     PMASA-2016-42 (CVE-2016-6619, CWE-661)

  - Verify data before unserializing see PMASA-2016-43     (CVE-2016-6620, CWE-661)

  - SSRF in setup script see PMASA-2016-44 (CVE-2016-6621,     CWE-661)

  - Denial-of-service attack with     $cfg['AllowArbitraryServer'] = true and persistent     connections see PMASA-2016-45 (CVE-2016-6622, CWE-661)

  - Denial-of-service attack by using for loops see     PMASA-2016-46 (CVE-2016-6623, CWE-661)

  - Possible circumvention of IP-based allow/deny rules with     IPv6 and proxy server see PMASA-2016-47 (CVE-2016-6624,     CWE-661)

  - Detect if user is logged in see PMASA-2016-48     (CVE-2016-6625, CWE-661)

  - Bypass URL redirection protection see PMASA-2016-49     (CVE-2016-6626, CWE-661)

  - Referrer leak see PMASA-2016-50 (CVE-2016-6627, CWE-661)

  - Reflected File Download see PMASA-2016-51     (CVE-2016-6628, CWE-661)

  - ArbitraryServerRegexp bypass see PMASA-2016-52     (CVE-2016-6629, CWE-661)

  - Denial-of-service attack by entering long password see     PMASA-2016-53 (CVE-2016-6630, CWE-661)

  - Remote code execution vulnerability when running as CGI     see PMASA-2016-54 (CVE-2016-6631, CWE-661)

  - Denial-of-service attack when PHP uses dbase extension     see PMASA-2016-55 (CVE-2016-6632, CWE-661)

  - Remove tode execution vulnerability when PHP uses dbase     extension see PMASA-2016-56 (CVE-2016-6633, CWE-661)

phpMyAdmin was updated to version 4.4.15.8 (2016-08-16) to fix the following issues :

  - Upstream changelog for 4.4.15.8 :

  - Improve session cookie code for openid.php and     signon.php example files

  - Full path disclosure in openid.php and signon.php     example files

  - Unsafe generation of BlowfishSecret (when not supplied     by the user)

  - Referrer leak when phpinfo is enabled

  - Use HTTPS for wiki links

  - Improve SSL certificate handling

  - Fix full path disclosure in debugging code

  - Administrators could trigger SQL injection attack     against users

  - other fixes

  - Remove Swekey support

  - Security fixes: https://www.phpmyadmin.net/security/

  - Weaknesses with cookie encryption see PMASA-2016-29     (CVE-2016-6606, CWE-661)

  - Multiple XSS vulnerabilities see PMASA-2016-30     (CVE-2016-6607, CWE-661)

  - Multiple XSS vulnerabilities see PMASA-2016-31     (CVE-2016-6608, CWE-661)

  - PHP code injection see PMASA-2016-32 (CVE-2016-6609,     CWE-661)

  - Full path disclosure see PMASA-2016-33 (CVE-2016-6610,     CWE-661)

  - SQL injection attack see PMASA-2016-34 (CVE-2016-6611,     CWE-661)

  - Local file exposure through LOAD DATA LOCAL INFILE see     PMASA-2016-35 (CVE-2016-6612, CWE-661)

  - Local file exposure through symlinks with UploadDir see     PMASA-2016-36 (CVE-2016-6613, CWE-661)

  - Path traversal with SaveDir and UploadDir see     PMASA-2016-37 (CVE-2016-6614, CWE-661)

  - Multiple XSS vulnerabilities see PMASA-2016-38     (CVE-2016-6615, CWE-661)

  - SQL injection vulnerability as control user see     PMASA-2016-39 (CVE-2016-6616, CWE-661)

  - SQL injection vulnerability see PMASA-2016-40     (CVE-2016-6617, CWE-661)

  - Denial-of-service attack through transformation feature     see PMASA-2016-41 (CVE-2016-6618, CWE-661)

  - SQL injection vulnerability as control user see     PMASA-2016-42 (CVE-2016-6619, CWE-661)

  - Verify data before unserializing see PMASA-2016-43     (CVE-2016-6620, CWE-661)

  - SSRF in setup script see PMASA-2016-44 (CVE-2016-6621,     CWE-661)

  - Denial-of-service attack with     $cfg['AllowArbitraryServer'] = true and persistent     connections see PMASA-2016-45 (CVE-2016-6622, CWE-661)

  - Denial-of-service attack by using for loops see     PMASA-2016-46 (CVE-2016-6623, CWE-661)

  - Possible circumvention of IP-based allow/deny rules with     IPv6 and proxy server see PMASA-2016-47 (CVE-2016-6624,     CWE-661)

  - Detect if user is logged in see PMASA-2016-48     (CVE-2016-6625, CWE-661)

  - Bypass URL redirection protection see PMASA-2016-49     (CVE-2016-6626, CWE-661)

  - Referrer leak see PMASA-2016-50 (CVE-2016-6627, CWE-661)

  - Reflected File Download see PMASA-2016-51     (CVE-2016-6628, CWE-661)

  - ArbitraryServerRegexp bypass see PMASA-2016-52     (CVE-2016-6629, CWE-661)

  - Denial-of-service attack by entering long password see     PMASA-2016-53 (CVE-2016-6630, CWE-661)

  - Remote code execution vulnerability when running as CGI     see PMASA-2016-54 (CVE-2016-6631, CWE-661)

  - Denial-of-service attack when PHP uses dbase extension     see PMASA-2016-55 (CVE-2016-6632, CWE-661)

  - Remove tode execution vulnerability when PHP uses dbase     extension see PMASA-2016-56 (CVE-2016-6633, CWE-661)

ID	Name	Product	Family	Severity
110945	Debian DLA-1415-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	critical
97392	Debian DLA-834-1 : phpmyadmin security update	Nessus	Debian Local Security Checks	high
97001	openSUSE Security Update : phpMyAdmin (openSUSE-2017-198)	Nessus	SuSE Local Security Checks	critical
9830	phpMyAdmin 4.0.10.x < 4.0.10.18 / 4.4.15.x < 4.4.15.9 / 4.6.x < 4.6.5 Multiple Vulnerabilities	Nessus Network Monitor	CGI	critical
93214	openSUSE Security Update : phpMyAdmin (openSUSE-2016-1027)	Nessus	SuSE Local Security Checks	critical
93212	openSUSE Security Update : phpMyAdmin (openSUSE-2016-1021)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2016-6621

high

Tenable Plugins

critical

high

critical

critical

critical

critical