Unsafe handling of preg_replace parameters

PMASA-2016-27

Announcement-ID: PMASA-2016-27

Date: 2016-06-23

Summary

Unsafe handling of preg_replace parameters

Description

In some versions of PHP, it’s possible for an attacker to pass parameters to the preg_replace() function which can allow the execution of arbitrary PHP code. This code is not properly sanitized in phpMyAdmin as part of the table search and replace feature.

Severity

We consider this vulnerability to be of moderate severity.

Mitigation factor

Using PHP version 5.4.6 or newer doesn’t allow null termination of the preg_replace string parameter. PHP since 7.0 doesn’t allow code execution in preg_replace at all.

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch listed below.

References

Thanks to Michal Čihař and Cure53 using RIPS for discovering these vulnerabilities.

Assigned CVE ids: CVE-2016-5734

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

• 351019c

The following commits have been made on the 4.4 branch to fix this issue:

• 33d1373
• daf3751

The following commits have been made on the 4.6 branch to fix this issue:

• 4bcc606
• 1cc7466

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.