SQL injection in phpmyadmin (Alpine package)

1) SQL injection

EUVDB-ID: #VU33583

Risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-9864

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to execute arbitrary code.

An issue was discovered in phpMyAdmin. With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the MySQL database. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Mitigation

Install update from vendor's website.

Vulnerable software versions

phpmyadmin (Alpine package): 4.0.4.1-r0 - 4.4.15.8-r0

CPE2.3

• cpe:2.3:a:alpine:phpmyadmin_alpine_package:4.0.4.1-r0:*:*:*:*:alpine_linux:*:2.6
• cpe:2.3:a:alpine:phpmyadmin_alpine_package:4.0.4.2-r0:*:*:*:*:alpine_linux:*:2.6
• cpe:2.3:a:alpine:phpmyadmin_alpine_package:4.0.9-r0:*:*:*:*:alpine_linux:*:2.6

External links

https://git.alpinelinux.org/aports/commit/?id=3c5da8c4643bf2ec21c87b1c68b3ad2c149fc3b9
https://git.alpinelinux.org/aports/commit/?id=b36b3560d17cde1b9b07e17906ea6b7612b04cce
https://git.alpinelinux.org/aports/commit/?id=a35fc5fa306c1b74cf13f5f8a6624b47b0409a82

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.