Security update for phpMyAdmin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1699-1 Final 1 1 2016-06-28T17:06:37Z current 2016-06-28T17:06:37Z 2016-06-28T17:06:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for phpMyAdmin phpMyAdmin was updated to version 4.4.15.7 to fix eight security issues. These security issues were fixed: - CVE-2016-5701: BBCode injection vulnerability (boo#986154) - CVE-2016-5703: SQL injection attack (boo#986154) - CVE-2016-5705: Multiple XSS vulnerabilities (boo#986154) - CVE-2016-5706: DOS attack (boo#986154) - CVE-2016-5730: Multiple full path disclosure vulnerabilities (boo#986154) - CVE-2016-5731: XSS through FPD (boo#986154) - CVE-2016-5733: Multiple XSS vulnerabilities (boo#986154) - CVE-2016-5739: Referrer leak in transformations (boo#986154) This non-security issues was fixed: - Fix issue Setup script doesn't use input type 'password' in all relevant locations The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html E-Mail link for openSUSE-SU-2016:1699-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 phpMyAdmin-4.4.15.7-22.1 phpMyAdmin-4.4.15.7-22.1 as a component of openSUSE Leap 42.1 setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. CVE-2016-5701 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5701.html CVE-2016-5701 https://bugzilla.suse.com/986154 SUSE Bug 986154 SQL injection vulnerability in libraries/central_columns.lib.php in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allows remote attackers to execute arbitrary SQL commands via a crafted database name that is mishandled in a central column query. CVE-2016-5703 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5703.html CVE-2016-5703 https://bugzilla.suse.com/986154 SUSE Bug 986154 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.7 and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) server-privileges certificate data fields on the user privileges page, (2) an "invalid JSON" error message in the error console, (3) a database name in the central columns implementation, (4) a group name, or (5) a search name in the bookmarks implementation. CVE-2016-5705 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5705.html CVE-2016-5705 https://bugzilla.suse.com/986154 SUSE Bug 986154 js/get_scripts.js.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to cause a denial of service via a large array in the scripts parameter. CVE-2016-5706 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5706.html CVE-2016-5706 https://bugzilla.suse.com/986154 SUSE Bug 986154 phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message. CVE-2016-5730 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5730.html CVE-2016-5730 https://bugzilla.suse.com/986154 SUSE Bug 986154 Cross-site scripting (XSS) vulnerability in examples/openid.php in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving an OpenID error message. CVE-2016-5731 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5731.html CVE-2016-5731 https://bugzilla.suse.com/986154 SUSE Bug 986154 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a crafted table name that is mishandled during privilege checking in table_row.phtml, (2) a crafted mysqld log_bin directive that is mishandled in log_selector.phtml, (3) the Transformation implementation, (4) AJAX error handling in js/ajax.js, (5) the Designer implementation, (6) the charts implementation in js/tbl_chart.js, or (7) the zoom-search implementation in rows_zoom.phtml. CVE-2016-5733 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5733.html CVE-2016-5733 https://bugzilla.suse.com/986154 SUSE Bug 986154 The Transformation implementation in phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not use the no-referrer Content Security Policy (CSP) protection mechanism, which makes it easier for remote attackers to conduct CSRF attacks by reading an authentication token in a Referer header, related to libraries/Header.php. CVE-2016-5739 openSUSE Leap 42.1:phpMyAdmin-4.4.15.7-22.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html https://www.suse.com/security/cve/CVE-2016-5739.html CVE-2016-5739 https://bugzilla.suse.com/986154 SUSE Bug 986154