Vulnerabilities > CVE-2016-5702 - 7PK - Security Features vulnerability in PHPmyadmin 4.6.0/4.6.1/4.6.2

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99280);
  script_version("1.5");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2015-8980", "CVE-2016-5702");
  script_bugtraq_id(91380, 95754);

  script_name(english:"phpMyAdmin 4.0.x < 4.0.10.19 / 4.4.x < 4.4.15.10 / 4.6.x < 4.6.6 Multiple Vulnerabilities (PMASA-2017-1 - PMASA-2017-7)");
  script_summary(english:"Checks the version of phpMyAdmin.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the phpMyAdmin
application hosted on the remote web server is 4.0.x prior to
4.0.10.19, 4.4.x prior to 4.4.15.10, or 4.6.x prior to 4.6.6. It is,
therefore, affected by the following vulnerabilities :

  - An open redirect vulnerability exists due to a failure
    to validate request paths before returning them to
    users. An unauthenticated, remote attacker can exploit
    this, by convincing a user to follow a specially crafted
    link, to redirect the user from the intended legitimate
    website to an arbitrary website of the attacker's
    choosing. (PMASA-2017-1)

  - An arbitrary code execution vulnerability exists in the
    php-gettext component in the select_string() function
    due to improper sanitization of user-supplied input. An
    unauthenticated, remote attacker can exploit this to
    execute arbitrary code. (PMASA-2017-2, CVE-2015-8980)

  - A denial of service vulnerability exists in the goto()
    function due to improper handling of table data. An
    unauthenticated, remote attacker can exploit this to
    launch a recursive include operation, resulting in a
    denial of service condition. (PMASA-2017-3)

  - A flaw exists due to a failure to sanitize input passed
    via cookie parameters. An unauthenticated, remote
    attacker can exploit this to inject arbitrary CSS in
    themes. (PMASA-2017-4)

  - An unspecified flaw exists that allows an
    unauthenticated, remote attacker to inject arbitrary
    values into browser cookies. (PMASA-2017-5,
    CVE-2016-5702)

  - A server-side request forgery vulnerability exists that
    allows an authenticated, remote attacker to bypass
    access restrictions (e.g. host or network ACLs) and
    connect to hosts without the appropriate authorization.
    Note that this vulnerability only affects the 4.6.x
    version branch. (PMASA-2017-6)

  - A denial of service vulnerability exists in the
    replication status functionality due to improper
    handling of specially crafted table names. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (PMASA-2017-7)

Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2017-1/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2017-2/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2017-3/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2017-4/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2017-5/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2017-6/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2017-7/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to phpMyAdmin version 4.0.10.19 / 4.4.15.10 /4.6.6 or later.
Alternatively, apply the patches referenced in the vendor advisories.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-8980");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/11");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("phpMyAdmin_detect.nasl");
  script_require_keys("www/PHP", "installed_sw/phpMyAdmin", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

appname = "phpMyAdmin";
get_install_count(app_name:appname, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE);
dir = install['path'];
url = build_url(qs:dir, port:port);
version = install['version'];

if (version =~ "^4(\.[046]?$|\.4\.1?[0-9]$|\.0\.1?[0-9])?$") audit(AUDIT_VER_NOT_GRANULAR, appname, port, version);
if (version !~ "^4\.([046])") audit(AUDIT_WEB_APP_NOT_INST, appname + " 4.6.x / 4.4.x / 4.0.x", port);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

re = make_array(
  -2, "-beta(\d+)",
  -1, "-rc(\d+)"
);

# Affected version
# 4.6.x < 4.6.6 / 4.4.x < 4.4.15.10 / 4.0.x < 4.0.10.19
cut_off = NULL;
fixed_ver = NULL;
if (version =~ "^4\.0\.")
{
  cut_off = '4.0.0';
  fixed_ver = '4.0.10.19';
}
else if (version =~ "^4\.4\.")
{
  cut_off = '4.4.0';
  fixed_ver = '4.4.15.10';
}
else if (version =~ "^4\.6\.")
{
  cut_off = '4.6.0';
  fixed_ver = '4.6.6';
}
else
{
  audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);
}

if (
  ver_compare(ver:version, minver:cut_off, fix:fixed_ver, regexes:re) == -1
)
{
  report =
    '\n  URL               : ' + url +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fixed_ver +
    '\n';

  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, url, version);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99663);
  script_version("1.5");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2016-5701",
    "CVE-2016-5702",
    "CVE-2016-5703",
    "CVE-2016-5704",
    "CVE-2016-5705",
    "CVE-2016-5706",
    "CVE-2016-5730",
    "CVE-2016-5731",
    "CVE-2016-5732",
    "CVE-2016-5733",
    "CVE-2016-5734",
    "CVE-2016-5739"
  );
  script_bugtraq_id(
    91376,
    91378,
    91379,
    91380,
    91381,
    91383,
    91384,
    91386,
    91387,
    91389,
    91390,
    91392
  );

  script_name(english:"phpMyAdmin 4.6.x < 4.6.3 Multiple Vulnerabilities (PMASA-2016-17 - PMASA-2016-28)");
  script_summary(english:"Checks the version of phpMyAdmin.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the phpMyAdmin
application hosted on the remote web server is 4.6.x prior to 
4.6.3. It is, therefore, affected by the following vulnerabilities:

  - A flaw exists in the setup/frames/index.inc.php script
    that allows an unauthenticated, remote attacker to access
    the program on a non-HTTPS connection and thereby inject
    arbitrary BBCode against HTTP sessions. (CVE-2016-5701)

  - An unspecified flaw exists, whenever the environment
    lacks a PHP_SELF value, that allows an unauthenticated,
    remote attacker to inject arbitrary attributes into
    browser cookies by using a specially crafted URI.
    (CVE-2016-5702)

  - A flaw exists in the libraries/central_columns.lib.php
    script when handling database names due to improper
    sanitization of user-supplied input. An unauthenticated,
    remote attacker can exploit this, via a crafted database
    name, to inject or manipulate SQL queries in the
    back-end database, resulting in modification or
    disclosure of arbitrary data. (CVE-2016-5703)

  - A cross-site scripting (XSS) vulnerability exists in the
    templates/table/structure/display_table_stats.phtml
    script when handling table comments due to improper
    validation of input before returning it to users. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted request, to execute arbitrary script
    code in a user's browser session. (CVE-2016-5704)

  - Multiple cross-site scripting (XSS) vulnerabilities
    exist due to improper validation of user-supplied input
    before returning it to users. An unauthenticated, remote
    attacker can exploit these, via specially crafted
    requests, to execute arbitrary script code or HTML in a
    a user's browser session. (CVE-2016-5705)

  - A flaw exists in the js/get_scripts.js.php script when
    handling a large array in the 'scripts' parameter during
    the loading of a crafted JavaScript file. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (CVE-2016-5706)

  - A information disclosure vulnerability exists in the
    Example OpenID Authentication and Setup scripts that
    allows an remote attacker, via multiple vectors, to
    disclose the application's installation path in an
    error message. (CVE-2016-5730)

  - A reflected cross-site scripting (XSS) vulnerability
    exists in the examples/openid.php script when handling
    OpenID error messages due to improper validation of
    input before returning it to users. An unauthenticated,
    remote attacker can exploit this, via a specially
    crafted request, to execute arbitrary script code in a
    user's browser session. (CVE-2016-5731)

  - A cross-site scripting (XSS) vulnerability exists in the
    templates/table/structure/display_partitions.phtml
    script when handling table parameters due to improper
    validation of input before returning it to users. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted request, to execute arbitrary script
    code in a user's browser session. (CVE-2016-5732)

  - Multiple cross-site scripting (XSS) vulnerabilities
    exist due to improper validation of user-supplied input
    before returning it to users. An unauthenticated, remote
    attacker can exploit these, via specially crafted
    requests, to execute arbitrary script code or HTML in a
    user's browser session. (CVE-2016-5733)

  - A flaw exists in the table search and replace feature
    due to improper sanitization of parameters before
    passing them to the preg_replace() function. An
    unauthenticated, remote attacker can exploit this, via
    a specially crafted string, to execute arbitrary PHP
    code. (CVE-2016-5734)

  - An information disclosure vulnerability exists in the
    libraries/Header.class.php script when handling
    transformations due to a failure to use the 'no-referer'
    Content Security Policy (CSP) protection mechanism. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted Transformation, to disclose sensitive
    authentication token information, which then can be
    potentially used to facilitate cross-site request
    forgery (XSRF) attacks. (CVE-2016-5739)

Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-17/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-18/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-19/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-20/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-21/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-22/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-23/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-24/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-25/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-26/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-27/");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2016-28/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to phpMyAdmin version 4.6.3 or later. Alternatively,
apply the patches referenced in the vendor advisories.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'phpMyAdmin Authenticated Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/25");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("phpMyAdmin_detect.nasl");
  script_require_keys("www/PHP", "installed_sw/phpMyAdmin", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("vcf.inc");
include("http.inc");


app = "phpMyAdmin";
get_install_count(app_name:app, exit_if_zero:TRUE);
if (report_paranoia < 2) audit(AUDIT_PARANOID);
port = get_http_port(default:80, php:TRUE);

app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
  { "min_version" : "4.6.0", "max_version" : "4.6.2", "fixed_version" : "4.6.3" }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:true,sqli:true});

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include("compat.inc");

if (description)
{
  script_id(91939);
  script_version("2.10");
  script_cvs_date("Date: 2019/04/11 17:23:06");

  script_cve_id("CVE-2016-5701", "CVE-2016-5702", "CVE-2016-5703", "CVE-2016-5704", "CVE-2016-5705", "CVE-2016-5706", "CVE-2016-5730", "CVE-2016-5731", "CVE-2016-5732", "CVE-2016-5733", "CVE-2016-5734", "CVE-2016-5739");

  script_name(english:"FreeBSD : phpMyAdmin -- multiple vulnerabilities (e7028e1d-3f9b-11e6-81f9-6805ca0b3d42)");
  script_summary(english:"Checks for updated package in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote FreeBSD host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:"Please reference CVE/URL list for details"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-17/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-18/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-19/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-20/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-21/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-22/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-23/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-24/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-25/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-26/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-27/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2016-28/"
  );
  # https://vuxml.freebsd.org/freebsd/e7028e1d-3f9b-11e6-81f9-6805ca0b3d42.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?55f00e1a"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'phpMyAdmin Authenticated Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpmyadmin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/07/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/05");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"phpmyadmin>=4.6.0<4.6.3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201701-32.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(96426);
  script_version("3.3");
  script_cvs_date("Date: 2019/04/10 16:10:17");

  script_cve_id("CVE-2016-4412", "CVE-2016-5097", "CVE-2016-5098", "CVE-2016-5099", "CVE-2016-5701", "CVE-2016-5702", "CVE-2016-5703", "CVE-2016-5704", "CVE-2016-5705", "CVE-2016-5706", "CVE-2016-5730", "CVE-2016-5731", "CVE-2016-5732", "CVE-2016-5733", "CVE-2016-5734", "CVE-2016-5739", "CVE-2016-6606", "CVE-2016-6607", "CVE-2016-6608", "CVE-2016-6609", "CVE-2016-6610", "CVE-2016-6611", "CVE-2016-6612", "CVE-2016-6613", "CVE-2016-6614", "CVE-2016-6615", "CVE-2016-6616", "CVE-2016-6617", "CVE-2016-6618", "CVE-2016-6619", "CVE-2016-6620", "CVE-2016-6622", "CVE-2016-6623", "CVE-2016-6624", "CVE-2016-6625", "CVE-2016-6626", "CVE-2016-6627", "CVE-2016-6628", "CVE-2016-6629", "CVE-2016-6630", "CVE-2016-6631", "CVE-2016-6632", "CVE-2016-6633", "CVE-2016-9847", "CVE-2016-9848", "CVE-2016-9849", "CVE-2016-9850", "CVE-2016-9851", "CVE-2016-9852", "CVE-2016-9853", "CVE-2016-9854", "CVE-2016-9855", "CVE-2016-9856", "CVE-2016-9857", "CVE-2016-9858", "CVE-2016-9859", "CVE-2016-9860", "CVE-2016-9861", "CVE-2016-9862", "CVE-2016-9863", "CVE-2016-9864", "CVE-2016-9865", "CVE-2016-9866");
  script_xref(name:"GLSA", value:"201701-32");

  script_name(english:"GLSA-201701-32 : phpMyAdmin: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201701-32
(phpMyAdmin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in phpMyAdmin. Please
      review the CVE identifiers referenced below for details.
  
Impact :

    A authenticated remote attacker could exploit these vulnerabilities to
      execute arbitrary PHP Code, inject SQL code, or to conduct Cross-Site
      Scripting attacks.
    In certain configurations, an unauthenticated remote attacker could
      cause a Denial of Service condition.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201701-32"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All phpMyAdmin users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=dev-db/phpmyadmin-4.6.5.1'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'phpMyAdmin Authenticated Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpmyadmin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"dev-db/phpmyadmin", unaffected:make_list("ge 4.6.5.1"), vulnerable:make_list("lt 4.6.5.1"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
}