Skip to content

Commit

Permalink
[SECURITY] Update pMA to the latest stable 4.4.x release (4.4.15.8) -…
Browse files Browse the repository at this point in the history 
… MWEXT-11

Includes critical vendor security fixes

- PMASA-2016-56: Remote code execution vulnerability when PHP is running with dbase extension
- PMASA-2016-54: Remote code execution vulnerability when run as CGI
- PMASA-2016-52: ArbitraryServerRegexp bypass
- PMASA-2016-45: DOS attack with forced persistent connections

Includes serious vendor security fixes

- PMASA-2016-53: Denial of service (DOS) attack by changing password to a very long string
- PMASA-2016-47: IPv6 and proxy server IP-based authentication rule circumvention
- PMASA-2016-42: SQL injection attack as control user
- PMASA-2016-39: SQL injection attack
- PMASA-2016-37: Path traversal with SaveDir and UploadDir
- PMASA-2016-36: Local file exposure through symlinks with UploadDir
- PMASA-2016-35: Local file exposure
- PMASA-2016-34: SQL injection attack
- PMASA-2016-29: Weakness with cookie encryption
- PMASA-2016-22: DOS attack
- PMASA-2016-21: Multiple XSS vulnerabilities

Includes moderate vendor security fixes

- PMASA-2016-51: Reflected File Download attack
- PMASA-2016-50: Referrer leak in url.php
- PMASA-2016-49: Bypass URL redirect protection
- PMASA-2016-46: Denial of service (DOS) attack by for loops
- PMASA-2016-43: Unvalidated data passed to unserialize()
- PMASA-2016-32: PHP code injection
- PMASA-2016-30: Multiple XSS vulnerabilities
- PMASA-2016-28: Referrer leak in transformations
- PMASA-2016-27: Unsafe handling of preg_replace parameters
- PMASA-2016-26: Multiple XSS vulnerabilities
- PMASA-2016-23: Multiple full path disclosure vulnerabilities
- PMASA-2016-19: SQL injection attack

Includes non-critical vendor security fixes

- PMASA-2016-55: Denial of service (DOS) attack with dbase extension
- PMASA-2016-48: Detect if user is logged in
- PMASA-2016-41: Denial of service (DOS) attack in transformation feature
- PMASA-2016-38: Multiple XSS vulnerabilities
- PMASA-2016-33: Full path disclosure
- PMASA-2016-17: BBCode injection vulnerability

Signed-off-by: Andreas Beutel <[email protected]>
  • Loading branch information
@abeutel
abeutel committed Aug 18, 2016
1 parent 9b1d408 commit a43f059
Show file tree
Hide file tree
Showing 1,731 changed files with 77,004 additions and 1,902 deletions.
2 changes: 1 addition & 1 deletion BeModule/conf.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
// Configuration
$MCONF['name'] = 'tools_txphpmyadmin';
$MCONF['script'] = '_DISPATCH';
$MCONF['PMA_subdir'] = 'Vendor/phpMyAdmin-4.4.15.6-all-languages/';
$MCONF['PMA_subdir'] = 'Vendor/phpMyAdmin-4.4.15.8-all-languages/';
$MCONF['PMA_script'] = 'index.php';

// Localization
Expand Down
2 changes: 1 addition & 1 deletion BeModule/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ public function printContent() {
$MCONF['name'] = 'tools_txphpmyadmin';
$MCONF['script'] = '_DISPATCH';
$MCONF['access'] = 'admin';
$MCONF['PMA_subdir'] = 'Vendor/phpMyAdmin-4.4.15.6-all-languages/';
$MCONF['PMA_subdir'] = 'Vendor/phpMyAdmin-4.4.15.8-all-languages/';
$MCONF['PMA_script'] = 'index.php';

// Proceed if TYPO3_MODE is defined
Expand Down
41 changes: 41 additions & 0 deletions Documentation/Changelog/Index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,47 @@ Change Log

The following is an overview of the changes in this extension. For more details `read the online log <https://github.com/mehrwert/TYPO3-phpMyAdmin>`_.

2016-08-17 Andreas Beutel - Version 5.1.7
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- [FEATURE] Updated pMA to the latest stable 4.4.x release (4.4.15.8)
- [SECURITY] Includes critical vendor security fixes
- `PMASA-2016-56 <https://www.phpmyadmin.net/security/PMASA-2016-56/>`_: Remote code execution vulnerability when PHP is running with dbase extension
- `PMASA-2016-54 <https://www.phpmyadmin.net/security/PMASA-2016-54/>`_: Remote code execution vulnerability when run as CGI
- `PMASA-2016-52 <https://www.phpmyadmin.net/security/PMASA-2016-52/>`_: ArbitraryServerRegexp bypass
- `PMASA-2016-45 <https://www.phpmyadmin.net/security/PMASA-2016-45/>`_: DOS attack with forced persistent connections
- [SECURITY] Includes serious vendor security fixes
- `PMASA-2016-53 <https://www.phpmyadmin.net/security/PMASA-2016-53/>`_: Denial of service (DOS) attack by changing password to a very long string
- `PMASA-2016-47 <https://www.phpmyadmin.net/security/PMASA-2016-47/>`_: IPv6 and proxy server IP-based authentication rule circumvention
- `PMASA-2016-42 <https://www.phpmyadmin.net/security/PMASA-2016-42/>`_: SQL injection attack as control user
- `PMASA-2016-39 <https://www.phpmyadmin.net/security/PMASA-2016-39/>`_: SQL injection attack
- `PMASA-2016-37 <https://www.phpmyadmin.net/security/PMASA-2016-37/>`_: Path traversal with SaveDir and UploadDir
- `PMASA-2016-36 <https://www.phpmyadmin.net/security/PMASA-2016-36/>`_: Local file exposure through symlinks with UploadDir
- `PMASA-2016-35 <https://www.phpmyadmin.net/security/PMASA-2016-35/>`_: Local file exposure
- `PMASA-2016-34 <https://www.phpmyadmin.net/security/PMASA-2016-34/>`_: SQL injection attack
- `PMASA-2016-29 <https://www.phpmyadmin.net/security/PMASA-2016-29/>`_: Weakness with cookie encryption
- `PMASA-2016-22 <https://www.phpmyadmin.net/security/PMASA-2016-22/>`_: DOS attack
- `PMASA-2016-21 <https://www.phpmyadmin.net/security/PMASA-2016-21/>`_: Multiple XSS vulnerabilities
- [SECURITY] Includes moderate vendor security fixes
- `PMASA-2016-51 <https://www.phpmyadmin.net/security/PMASA-2016-51/>`_: Reflected File Download attack
- `PMASA-2016-50 <https://www.phpmyadmin.net/security/PMASA-2016-50/>`_: Referrer leak in url.php
- `PMASA-2016-49 <https://www.phpmyadmin.net/security/PMASA-2016-49/>`_: Bypass URL redirect protection
- `PMASA-2016-46 <https://www.phpmyadmin.net/security/PMASA-2016-46/>`_: Denial of service (DOS) attack by for loops
- `PMASA-2016-43 <https://www.phpmyadmin.net/security/PMASA-2016-43/>`_: Unvalidated data passed to unserialize()
- `PMASA-2016-32 <https://www.phpmyadmin.net/security/PMASA-2016-32/>`_: PHP code injection
- `PMASA-2016-30 <https://www.phpmyadmin.net/security/PMASA-2016-30/>`_: Multiple XSS vulnerabilities
- `PMASA-2016-28 <https://www.phpmyadmin.net/security/PMASA-2016-28/>`_: Referrer leak in transformations
- `PMASA-2016-27 <https://www.phpmyadmin.net/security/PMASA-2016-27/>`_: Unsafe handling of preg_replace parameters
- `PMASA-2016-26 <https://www.phpmyadmin.net/security/PMASA-2016-26/>`_: Multiple XSS vulnerabilities
- `PMASA-2016-23 <https://www.phpmyadmin.net/security/PMASA-2016-23/>`_: Multiple full path disclosure vulnerabilities
- `PMASA-2016-19 <https://www.phpmyadmin.net/security/PMASA-2016-19/>`_: SQL injection attack
- [SECURITY] Includes non-critical vendor security fixes
- `PMASA-2016-55 <https://www.phpmyadmin.net/security/PMASA-2016-55/>`_: Denial of service (DOS) attack with dbase extension
- `PMASA-2016-48 <https://www.phpmyadmin.net/security/PMASA-2016-48/>`_: Detect if user is logged in
- `PMASA-2016-41 <https://www.phpmyadmin.net/security/PMASA-2016-41/>`_: Denial of service (DOS) attack in transformation feature
- `PMASA-2016-38 <https://www.phpmyadmin.net/security/PMASA-2016-38/>`_: Multiple XSS vulnerabilities
- `PMASA-2016-33 <https://www.phpmyadmin.net/security/PMASA-2016-33/>`_: Full path disclosure
- `PMASA-2016-17 <https://www.phpmyadmin.net/security/PMASA-2016-17/>`_: BBCode injection vulnerability

2016-05-27 Andreas Beutel - Version 5.1.6
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- [FEATURE] Updated pMA to the latest stable 4.4.x release (4.4.15.6)
Expand Down
2 changes: 1 addition & 1 deletion Documentation/Index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ phpMyAdmin for TYPO3
2002-11-01

:Changed:
2016-05-27
2016-08-17

:Changed by:
Andreas Beutel
Expand Down
8 changes: 5 additions & 3 deletions ReadMe.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ execute any SQL statement - see http://www.phpmyadmin.net/

## Requirements and known issues

Version 5.x of the TYPO3 phpMyAdmin extension includes the latest release of phpMyAdmin (4.x). If your need
an older version compatible with PHP 5.2 and MySQL 5 just use one of the 4.x releases. The 4x releases
are supported for security fixes only (until Jan 1, 2016).
Version 5.x of the TYPO3 phpMyAdmin extension includes the latest release of phpMyAdmin (4.x).
phpMyAdmin 4.4.x is officially supported for security fixes only until October 1, 2016!

If you're in need of an older version compatible with PHP 5.2 and MySQL 5 just use one of the 4.x
releases. The 4x releases were supported for security fixes only until Jan 1, 2016.
4 changes: 2 additions & 2 deletions Settings.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
conf.py:
copyright: 2002-2016
project: phpMyAdmin Extension for TYPO3
version: 5.1.5
release: 5.1.5
version: 5.1.7
release: 5.1.7
latex_documents:
- - Index
- phpmyadmin.tex
Expand Down
1 change: 0 additions & 1 deletion Vendor/phpMyAdmin-4.4.15.6-all-languages/RELEASE-DATE-4.4.15.6
View file

This file was deleted.

152 changes: 0 additions & 152 deletions Vendor/phpMyAdmin-4.4.15.6-all-languages/config.sample.inc.php
View file

This file was deleted.

85 changes: 0 additions & 85 deletions Vendor/phpMyAdmin-4.4.15.6-all-languages/file_echo.php
View file

This file was deleted.

Loading

0 comments on commit a43f059

Please sign in to comment.