Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2018:4124-1

Опубликовано: 14 дек. 2018
Источник: suse-cvrf

Описание

Security update for phpMyAdmin

This update for phpMyAdmin fixes security issues and bugs.

Security issues addressed in the 4.8.4 release (bsc#1119245):

  • CVE-2018-19968: Local file inclusion through transformation feature
  • CVE-2018-19969: XSRF/CSRF vulnerability
  • CVE-2018-19970: XSS vulnerability in navigation tree

This update also contains the following upstream bug fixes and improvements:

  • Ensure that database names with a dot ('.') are handled properly when DisableIS is true
  • Fix for message "Error while copying database (pma__column_info)"
  • Move operation causes "SELECT * FROM undefined" error
  • When logging with $cfg['AuthLog'] to syslog, successful login messages were not logged when $cfg['AuthLogSuccess'] was true
  • Multiple errors and regressions with Designer

Список пакетов

SUSE Package Hub for SUSE Linux Enterprise 12
phpMyAdmin-4.8.4-bp150.3.6.1
SUSE Package Hub for SUSE Linux Enterprise 15
phpMyAdmin-4.8.4-bp150.3.6.1

Ссылки

Описание

An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.

Затронутые продукты
SUSE Package Hub for SUSE Linux Enterprise 12:phpMyAdmin-4.8.4-bp150.3.6.1
SUSE Package Hub for SUSE Linux Enterprise 15:phpMyAdmin-4.8.4-bp150.3.6.1
Ссылки

Описание

phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a series of CSRF flaws. By deceiving a user into clicking on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.

Затронутые продукты
SUSE Package Hub for SUSE Linux Enterprise 12:phpMyAdmin-4.8.4-bp150.3.6.1
SUSE Package Hub for SUSE Linux Enterprise 15:phpMyAdmin-4.8.4-bp150.3.6.1
Ссылки

Описание

In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafted database/table name.

Затронутые продукты
SUSE Package Hub for SUSE Linux Enterprise 12:phpMyAdmin-4.8.4-bp150.3.6.1
SUSE Package Hub for SUSE Linux Enterprise 15:phpMyAdmin-4.8.4-bp150.3.6.1
Ссылки