phpMyAdmin 4.0.10.x < 4.0.10.19 / 4.4.15.x < 4.4.15.10 / 4.6.x < 4.6.6 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9936

Synopsis

The remote web server contains a version of phpMyAdmin that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin 4.0.10.x prior to 4.0.10.19, 4.4.15.x prior to 4.4.15.10, and 4.6.x prior to 4.6.6 are unpatched, and therefore affected by the following vulnerabilities :

- A flaw exists that allows a cross-site redirection attack. This flaw exists because the application does not validate request paths before returning them to the user. This could allow a context-dependent attacker to create a specially crafted link that, if followed, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appears to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client-side software such as a web browser or document rendering programs, as well as phishing attacks that mimic the legitimate site but send user-supplied information to the attacker.
- A flaw exists in the 'goto()' function that is triggered during the handling of table data, which may launch a recursive include operation. This may allow a remote attacker to cause a denial of service.
- A flaw exists that is due to the program failing to sanitize input passed via cookie parameters. This may allow a remote attacker to inject arbitrary CSS in themes.
- A flaw exists in replication status that is triggered during the handling of a specially crafted table name. This may allow a remote attacker to cause a denial of service.
- A flaw exists related to request handling between a user and a server, where the server can be induced into performing unintended actions (Server Side Request Forgery, or SSRF). By making a crafted request, the server can be used to conduct host-based attacks. This may allow an authenticated remote attacker to bypass access restrictions (e.g. host or network ACLs) and connect to hosts without the appropriate authorization. It is unclear if this may be leveraged for further impacts.

Solution

Upgrade to phpMyAdmin version 4.6.6 or later. If 4.6.x cannot be obtained, versions 4.4.15.10 and 4.0.10.19 have also been patched for these vulnerabilities.

See Also

https://www.phpmyadmin.net/security/PMASA-2017-1

https://www.phpmyadmin.net/security/PMASA-2017-3

https://www.phpmyadmin.net/security/PMASA-2017-4

https://www.phpmyadmin.net/security/PMASA-2017-6

https://www.phpmyadmin.net/security/PMASA-2017-7

Plugin Details

Severity: High

ID: 9936

Family: CGI

Published: 2/3/2017

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Patch Publication Date: 1/24/2017

Vulnerability Publication Date: 1/24/2017