Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface.

  - CVE-2016-1927     The suggestPassword function relied on a non-secure     random number generator which makes it easier for remote     attackers to guess generated passwords via a brute-force     approach.

  - CVE-2016-2039     CSRF token values were generated by a non-secure random     number generator, which allows remote attackers to     bypass intended access restrictions by predicting a     value.

  - CVE-2016-2040     Multiple cross-site scripting (XSS) vulnerabilities     allow remote authenticated users to inject arbitrary web     script or HTML.

  - CVE-2016-2041     phpMyAdmin does not use a constant-time algorithm for     comparing CSRF tokens, which makes it easier for remote     attackers to bypass intended access restrictions by     measuring time differences.

  - CVE-2016-2560     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-2561     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5099     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5701     For installations running on plain HTTP, phpMyAdmin     allows remote attackers to conduct BBCode injection     attacks against HTTP sessions via a crafted URI.

  - CVE-2016-5705     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5706     phpMyAdmin allows remote attackers to cause a denial of     service (resource consumption) via a large array in the     scripts parameter.

  - CVE-2016-5731     A cross-site scripting (XSS) vulnerability allows remote     attackers to inject arbitrary web script or HTML.

  - CVE-2016-5733     Multiple cross-site scripting (XSS) vulnerabilities     allow remote attackers to inject arbitrary web script or     HTML.

  - CVE-2016-5739     A specially crafted Transformation could leak     information which a remote attacker could use to perform     cross site request forgeries.

According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.0.10.15, 4.4.x prior to 4.4.15.5, or 4.5.x prior to 4.5.5.1. It is, therefore, affected by multiple vulnerabilities.

  - Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-     parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote     authenticated users to inject arbitrary web script or HTML via a crafted query. (CVE-2016-2559)

  - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before     4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a     crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to     file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to     libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to     libraries/controllers/TableSearchController.class.php in the zoom search page. (CVE-2016-2560)

  - Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before     4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php     or (2) js/normalization.js in the database normalization page, (3)     templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos     parameter to db_central_columns.php in the central columns page. (CVE-2016-2561)

  - The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify     X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof     these servers and obtain sensitive information via a crafted certificate. (CVE-2016-2562)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update to phpMyAdmin 4.4.15.4 fixes the following security issues :

  - CVE-2016-2560: Multiple XSS vulnerabilities     (PMASA-2016-11 boo#968938)

  - CVE-2016-2561: Multiple XSS vulnerabilities     (PMASA-2016-12 boo#968941)

phpMyAdmin 4.5.5.1 (2016-02-29) =============================== This release fixes multiple XSS vulnerabilities, please see PMASA-2016-10, PMASA-2016-11, and PMASA-2016-12 for details; additionally it fixes a vulnerability allowing man- in-the-middle attack on an API call to GitHub, see PMASA-2016-13 for details. It also inclues fixes for the following bugs: - issue #11971 CREATE UNIQUE INDEX index type is not recognized by parser. - issue #11982 Row count wrong when grouping joined tables. - issue #12012 Column definition with default value and comment in CREATE TABLE exported faulty. - issue #12020 New statement but no delimiter and unexpected token with REPLACE. - issue #12029 Fixed incorrect usage of SQL parser context in SQL export - issue #12048 Fixed inclusion of gettext library from SQL parser

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The phpMyAdmin development team reports :

XSS vulnerability in SQL parser.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

By sending a specially crafted URL as part of the HOST header, it is possible to trigger an XSS attack.

A weakness was found that allows an XSS attack with Internet Explorer versions older than 8 and Safari on Windows using a specially crafted URL.

Using a crafted SQL query, it is possible to trigger an XSS attack through the SQL query page.

Using a crafted parameter value, it is possible to trigger an XSS attack in user accounts page.

Using a crafted parameter value, it is possible to trigger an XSS attack in zoom search page.

We consider this vulnerability to be non-critical.

Multiple XSS vulnerabilities.

With a crafted table/column name it is possible to trigger an XSS attack in the database normalization page.

With a crafted parameter it is possible to trigger an XSS attack in the database structure page.

With a crafted parameter it is possible to trigger an XSS attack in central columns page.

We consider this vulnerability to be non-critical.

Vulnerability allowing man-in-the-middle attack on API call to GitHub.

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

We consider this vulnerability to be serious.

Versions of phpMyAdmin 4.4.x prior to 4.4.15.5, or 4.5.x prior to 4.5.5.1 are unpatched for multiple cross-site scripting (XSS) vulnerabilities. These attacks may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

The following phpMyAdmin components are affected by these vulnerabilities :
 - A flaw which exists because the 'Database Normalization' page does not validate input when handling table or column names before returning it to users.
 - A flaw which exists because the 'Database Structure' page does not validate input when handling crafted parameters before returning it to users.
 - A flaw which exists because the 'Central Columns' page does not validate input when handling crafted parameters before returning it to users.

ID	Name	Product	Family	Published	Updated	Severity
92527	Debian DSA-3627-1 : phpmyadmin - security update	Nessus	Debian Local Security Checks	7/25/2016	1/11/2021	high
143489	phpMyAdmin 4.0.x < 4.0.10.15 / 4.4.x < 4.4.15.5 / 4.5.x < 4.5.5.1 Multiple Vulnerabilities	Nessus	CGI abuses	12/7/2020	11/22/2024	medium
89719	openSUSE Security Update : phpMyAdmin (openSUSE-2016-305)	Nessus	SuSE Local Security Checks	3/7/2016	1/19/2021	medium
89718	openSUSE Security Update : phpMyAdmin (openSUSE-2016-304)	Nessus	SuSE Local Security Checks	3/7/2016	1/19/2021	medium
89801	Fedora 23 : php-udan11-sql-parser-3.4.0-1.fc23 / phpMyAdmin-4.5.5.1-1.fc23 (2016-65da02b95c)	Nessus	Fedora Local Security Checks	3/10/2016	1/11/2021	medium
89049	FreeBSD : phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability (f682a506-df7c-11e5-81e4-6805ca0b3d42)	Nessus	FreeBSD Local Security Checks	3/1/2016	1/4/2021	medium
89879	Fedora 22 : php-udan11-sql-parser-3.4.0-1.fc22 / phpMyAdmin-4.5.5.1-1.fc22 (2016-02ee5b4002)	Nessus	Fedora Local Security Checks	3/14/2016	1/11/2021	medium
9357	phpMyAdmin 4.4.x < 4.4.15.5 / 4.5.x < 4.5.5.1 Multiple XSS (PMASA-2016-12)	Nessus Network Monitor	CGI	6/17/2016	3/6/2019	low

Detections

Analytics

Plugins Search

high

medium

medium

medium

medium

medium

medium

low