Multiple issues were fixed in phpMyAdmin: ---------------------- 1. Cross-site scripting vulnerability (PMASA-2016-16): A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page. Affects versions 4.4.x (prior to 4.4.15.6) and 4.6.x (prior to 4.6.2). Upstream patches: 4.6 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780 4.4 branch: https://github.com/phpmyadmin/phpmyadmin/commit/b061096abd992801fbbd805ef6ff74e627528780 ---------------------- 2. File Traversal Protection Bypass on Error Reporting (PMASA-2016-15): A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the size of that file. The attacker must be able to intercept and modify the user's POST data and must be able to trigger a JavaScript error to the user. This attack can be mitigated in affected installations by setting `$cfg['Servers'][$i]['SendErrorReports'] = 'never';`. Upgrading to a more recent development commit is suggested. Only git 'master' development branch was affected. No released version was vulnerable. Upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/d2dc9481d2af25b035778c67eaf0bfd2d2c59dd8 ---------------------- 3. Sensitive Data in URL GET Query Parameters (PMASA-2016-14): Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attackers monitoring user GET query parameters or included in the webserver logs. As mitigation, avoid clicking on external links in phpMyAdmin which are not redirected through url.php script. Affects versions prior to 4.6.2. Upstream patches: https://github.com/phpmyadmin/phpmyadmin/commit/11eb574242d2526107366d367ab5585fbe29578f https://github.com/phpmyadmin/phpmyadmin/commit/5fc8020c5ba9cd2e38beb5dfe013faf2103cdf0f https://github.com/phpmyadmin/phpmyadmin/commit/8326aaebe54083d9726e153abdd303a141fe5ad3 https://github.com/phpmyadmin/phpmyadmin/commit/59e56bd63a5e023b797d82eb272cd074e3b4bfd1 External References: https://www.phpmyadmin.net/security/PMASA-2016-16/ https://www.phpmyadmin.net/security/PMASA-2016-15/ https://www.phpmyadmin.net/security/PMASA-2016-14/
Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 1340066] Affects: epel-all [bug 1340068]
Created phpMyAdmin4 tracking bugs for this issue: Affects: epel-5 [bug 1340069]
From what I get, upstream does not plan to address the flaw for phpMyAdmin 4.0.10.x series even it is affected: - https://twitter.com/phpmya/status/736096283606142976 - https://twitter.com/phpmya/status/736096512556421122 Is somebody able to help here? Backporting the commits doesn't seem to be trivial as upstream already stated.
CVEs were assigned to these issues. PMASA-2016-16: CVE-2016-5099 PMASA-2016-15: CVE-2016-5098 PMASA-2016-14: CVE-2016-5097
Upstream meanwhile backported fixes to 4.0.10.x series.
phpMyAdmin4-4.0.10.15-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.0.10.15-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.