Описание
Security update for phpMyAdmin
This update to phpMyAdmin 4.4.15.4 fixes the following issues (boo#964024)
- CVE-2016-2038: Multiple full path disclosure vulnerabilities
- CVE-2016-2039: Unsafe generation of XSRF/CSRF token
- CVE-2016-2040: Multiple XSS vulnerabilities
- CVE-2016-1927: Insecure password generation in JavaScript
- CVE-2016-2041: Unsafe comparison of XSRF/CSRF token
- CVE-2016-2042: Multiple full path disclosure vulnerabilities
- CVE-2016-2043: XSS vulnerability in normalization page
Список пакетов
openSUSE Leap 42.1
Ссылки
- E-Mail link for openSUSE-SU-2016:0357-1
- SUSE Security Ratings
Описание
The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach.
Затронутые продукты
Ссылки
- CVE-2016-1927
- SUSE Bug 964024
Описание
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.
Затронутые продукты
Ссылки
- CVE-2016-2038
- SUSE Bug 964024
Описание
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value.
Затронутые продукты
Ссылки
- CVE-2016-2039
- SUSE Bug 964024
Описание
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header.
Затронутые продукты
Ссылки
- CVE-2016-2040
- SUSE Bug 964024
Описание
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.
Затронутые продукты
Ссылки
- CVE-2016-2041
- SUSE Bug 964024
Описание
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message.
Затронутые продукты
Ссылки
- CVE-2016-2042
- SUSE Bug 964024
Описание
Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page.
Затронутые продукты
Ссылки
- CVE-2016-2043
- SUSE Bug 964024