Bug 982128 - (CVE-2016-5099) VUL-0: CVE-2016-5099: phpMyAdmin: Self XSS (PMASA-2016-16)
(CVE-2016-5099)
VUL-0: CVE-2016-5099: phpMyAdmin: Self XSS (PMASA-2016-16)
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P5 - None : Normal
: ---
Assigned To: Eric Schirra
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-28 15:39 UTC by Andreas Stieger
Modified: 2016-06-11 20:07 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-05-28 15:39:40 UTC
https://www.phpmyadmin.net/security/PMASA-2016-16/

Announcement-ID: PMASA-2016-16
Date: 2016-05-25
Updated: 2016-05-26
Summary: Self XSS
Description: A specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page.

Affected Versions: Versions 4.4.x (prior to 4.4.15.6) and 4.6.x (prior to 4.6.2) are affected.
Solution: Upgrade to phpMyAdmin 4.4.15.6 or 4.6.2 or newer or apply patch listed below.

Assigned CVE ids: CVE-2016-5099
CWE ids: CWE-661
Patches

The following commits have been made on the 4.6 branch to fix this issue:

    b061096abd992801fbbd805ef6ff74e627528780

The following commits have been made on the 4.4 branch to fix this issue:

    78e71897be0902eb1d5d3d30a33b4417cd7d4d87
Comment 1 Bernhard Wiedemann 2016-05-28 16:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (982128) was mentioned in
https://build.opensuse.org/request/show/398585 Factory / phpMyAdmin
Comment 2 Eric Schirra 2016-05-28 19:33:31 UTC
I have made an maintenance request to 4.4.15.6, witch fix this issue.
Comment 3 Swamp Workflow Management 2016-05-29 11:07:36 UTC
openSUSE-SU-2016:1434-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 982128
CVE References: CVE-2016-5099
Sources used:
openSUSE Leap 42.1 (src):    phpMyAdmin-4.4.15.6-19.1
openSUSE 13.2 (src):    phpMyAdmin-4.4.15.6-33.1
Comment 4 Christian Wittmer 2016-05-29 15:41:11 UTC
update to 4.4.15.6 does also fix:

  * PMASA-2016-15 (CVE-2016-5098, CWE-661)
    - File Traversal Protection Bypass on Error Reporting, see
    https://www.phpmyadmin.net/security/PMASA-2016-15/
  * PMASA-2016-14 (CVE-2016-5097, CWE-661)
    - Sensitive Data in URL GET Query Parameters, see
    https://www.phpmyadmin.net/security/PMASA-2016-14/

see: https://www.phpmyadmin.net/news/2016/5/26/phpmyadmin-security-notifications-and-44156-released/

I will provide new updates ...
Comment 5 Bernhard Wiedemann 2016-05-29 16:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (982128) was mentioned in
https://build.opensuse.org/request/show/398776 13.2+42.1 / phpMyAdmin
Comment 6 Eric Schirra 2016-05-29 16:29:47 UTC
(In reply to Christian Wittmer from comment #4)
> update to 4.4.15.6 does also fix:
> 
>   * PMASA-2016-15 (CVE-2016-5098, CWE-661)
>     - File Traversal Protection Bypass on Error Reporting, see
>     https://www.phpmyadmin.net/security/PMASA-2016-15/
>   * PMASA-2016-14 (CVE-2016-5097, CWE-661)
>     - Sensitive Data in URL GET Query Parameters, see
>     https://www.phpmyadmin.net/security/PMASA-2016-14/
> 
> see:
> https://www.phpmyadmin.net/news/2016/5/26/phpmyadmin-security-notifications-
> and-44156-released/
> 
> I will provide new updates ...

Okay.
But i am not stupid.

Here stand nothing:
- https://www.phpmyadmin.net/files/4.4.15.6/
- https://www.phpmyadmin.net/security/PMASA-2016-15/
- https://www.phpmyadmin.net/security/PMASA-2016-14/
- https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_4_15/ChangeLog
Comment 7 Christian Wittmer 2016-05-29 17:47:28 UTC
Nobody said you are stupid ... please don't feel offended

I opened:
https://github.com/phpmyadmin/phpmyadmin/issues/12280

to clarify.
Comment 8 Eric Schirra 2016-05-29 18:04:36 UTC
(In reply to Christian Wittmer from comment #7)
> Nobody said you are stupid ... please don't feel offended

Nono. I'm not offended. :-)
I missed only the right words.
And i only would say that the sources for the changes are not clearly.

> I opened:
> https://github.com/phpmyadmin/phpmyadmin/issues/12280

Okay. This is a good idea.
Comment 10 Christian Wittmer 2016-05-31 18:41:38 UTC
I was wrong:
https://github.com/phpmyadmin/phpmyadmin/issues/12280#issuecomment-222398150

sorry for being loud
Comment 11 Swamp Workflow Management 2016-06-11 20:07:47 UTC
openSUSE-SU-2016:1556-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 982128
CVE References: CVE-2016-5097,CVE-2016-5098,CVE-2016-5099
Sources used:
openSUSE 13.1 (src):    phpMyAdmin-4.4.15.6-57.1