FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpMyAdmin -- multiple vulnerabilities

Affected packages
4.0 <= phpMyAdmin < 4.0.4.2
3.5 <= phpMyAdmin35 < 3.5.8.2

Details

VuXML ID f4a0212f-f797-11e2-9bb9-6805ca0b3d42
Discovery 2013-07-28
Entry 2013-07-28
Modified 2013-07-29

The phpMyAdmin development team reports:

XSS due to unescaped HTML Output when executing a SQL query.

Using a crafted SQL query, it was possible to produce an XSS on the SQL query form.

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.

5 XSS vulnerabilities in setup, chart display, process list, and logo link.

If a crafted version.json would be presented, an XSS could be introduced.

Due to not properly validating the version.json file, which is fetched from the phpMyAdmin.net website, could lead to an XSS attack, if a crafted version.json file would be presented.

This vulnerability can only be exploited with a combination of complicated techniques and tricking the user to visit a page.

Full path disclosure vulnerabilities.

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual.

XSS vulnerability when a text to link transformation is used.

When the TextLinkTransformationPlugin is used to create a link to an object when displaying the contents of a table, the object name is not properly escaped, which could lead to an XSS, if the object name has a crafted value.

The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms.

Self-XSS due to unescaped HTML output in schema export.

When calling schema_export.php with crafted parameters, it is possible to trigger an XSS.

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.

SQL injection vulnerabilities, producing a privilege escalation (control user).

Due to a missing validation of parameters passed to schema_export.php and pmd_pdf.php, it was possible to inject SQL statements that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database.

These vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form. Moreover, a control user must have been created and configured as part of the phpMyAdmin configuration storage installation.

References

URL http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.8.2/phpMyAdmin-3.5.8.2-notes.html/view
URL http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.4.2/phpMyAdmin-4.0.4.2-notes.html/view
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-13.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php