Bug 1340065 (CVE-2016-5097, CVE-2016-5098, CVE-2016-5099)

Summary: CVE-2016-5097 CVE-2016-5098 CVE-2016-5099 phpMyAdmin: Multiple issues fixed in 4.6.2 and 4.4.15.6 (PMASA-2016-16,PMASA-2016-15,PMASA-2016-14)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ccoleman, dmcphers, jialiu, joelsmith, jokerman, kseifried, lmeyer, mmccomas, redhat-bugzilla, tdawson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: phpMyAdmin 4.6.2, phpMyAdmin 4.4.15.6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-28 14:35:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1340066, 1340068, 1340069, 1340070    
Bug Blocks:    

Description Adam Mariš 2016-05-26 12:04:02 UTC 
Multiple issues were fixed in phpMyAdmin:

----------------------

1. Cross-site scripting vulnerability (PMASA-2016-16):

A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

Affects versions 4.4.x (prior to 4.4.15.6) and 4.6.x (prior to 4.6.2).

Upstream patches:

4.6 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780

4.4 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780

----------------------

2. File Traversal Protection Bypass on Error Reporting (PMASA-2016-15):

A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the size of that file.

The attacker must be able to intercept and modify the user's POST data and must be able to trigger a JavaScript error to the user.

This attack can be mitigated in affected installations by setting `$cfg['Servers'][$i]['SendErrorReports'] = 'never';`. Upgrading to a more recent development commit is suggested.

Only git 'master' development branch was affected. No released version was vulnerable.

Upstream patch:

https://github.com/phpmyadmin/phpmyadmin/commit/d2dc9481d2af25b035778c67eaf0bfd2d2c59dd8

----------------------

3. Sensitive Data in URL GET Query Parameters (PMASA-2016-14):

Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs.

As mitigation, avoid clicking on external links in phpMyAdmin which are not redirected through url.php script.

Affects versions prior to 4.6.2.

Upstream patches:

https://github.com/phpmyadmin/phpmyadmin/commit/11eb574242d2526107366d367ab5585fbe29578f
https://github.com/phpmyadmin/phpmyadmin/commit/5fc8020c5ba9cd2e38beb5dfe013faf2103cdf0f
https://github.com/phpmyadmin/phpmyadmin/commit/8326aaebe54083d9726e153abdd303a141fe5ad3
https://github.com/phpmyadmin/phpmyadmin/commit/59e56bd63a5e023b797d82eb272cd074e3b4bfd1

External References:

https://www.phpmyadmin.net/security/PMASA-2016-16/
https://www.phpmyadmin.net/security/PMASA-2016-15/
https://www.phpmyadmin.net/security/PMASA-2016-14/
Comment 2 Adam Mariš 2016-05-26 12:05:07 UTC 
Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 1340066]
Affects: epel-all [bug 1340068]
Comment 3 Adam Mariš 2016-05-26 12:05:14 UTC 
Created phpMyAdmin4 tracking bugs for this issue:

Affects: epel-5 [bug 1340069]
Comment 4 Robert Scheck 2016-05-29 19:06:09 UTC 
From what I get, upstream does not plan to address the flaw for phpMyAdmin
4.0.10.x series even it is affected:

 - https://twitter.com/phpmya/status/736096283606142976
 - https://twitter.com/phpmya/status/736096512556421122

Is somebody able to help here? Backporting the commits doesn't seem to be
trivial as upstream already stated.
Comment 5 Andrej Nemec 2016-05-30 06:58:39 UTC 
CVEs were assigned to these issues.

PMASA-2016-16: CVE-2016-5099
PMASA-2016-15: CVE-2016-5098
PMASA-2016-14: CVE-2016-5097
Comment 6 Robert Scheck 2016-06-04 22:25:50 UTC 
Upstream meanwhile backported fixes to 4.0.10.x series.
Comment 7 Fedora Update System 2016-06-21 20:47:20 UTC 
phpMyAdmin4-4.0.10.15-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2016-06-21 21:47:49 UTC 
phpMyAdmin-4.0.10.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.