Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
NameCVE-2010-3056First vendor Publication2010-08-24
VendorCveLast vendor Modification2011-01-28

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi/mysql.dbi.lib.php, (8) libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10) libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12) server_databases.php, (13) server_privileges.php, (14) setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17) tbl_sql.php.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3056

CWE : Common Weakness Enumeration

idName
CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12807
 
Oval ID: oval:org.mitre.oval:def:12807
Title: DSA-2097-1 phpmyadmin -- insufficient input sanitising
Description: Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3055 The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. CVE-2010-3056 Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML. For the stable distribution, these problems have been fixed in version 2.11.8.1-5+lenny5. For the testing and unstable distribution, these problems have been fixed in version 3.3.5.1-1. We recommend that you upgrade your phpmyadmin package.
Family: unix Class: patch
Reference(s): DSA-2097-1
CVE-2010-3055
CVE-2010-3056
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): phpmyadmin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12436
 
Oval ID: oval:org.mitre.oval:def:12436
Title: DSA-2097-2 phpmyadmin -- insufficient input sanitising
Description: The update in DSA 2097 for phpMyAdmin did not correctly apply the intended changes, thereby not completely addressing the vulnerabilities. Updated packages now fix the issues described in the original advisory text below. Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3055 The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. CVE-2010-3056 Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML. For the stable distribution, these problems have been fixed in version 2.11.8.1-5+lenny6. For the testing and unstable distribution, these problems have been fixed in version 3.3.5.1-1. We recommend that you upgrade your phpmyadmin package.
Family: unix Class: patch
Reference(s): DSA-2097-2
CVE-2010-3055
CVE-2010-3056
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): phpmyadmin
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application58

OpenVAS Exploits

DateDescription
2012-02-12Name : Gentoo Security Advisory GLSA 201201-01 (phpMyAdmin)
File : nvt/glsa_201201_01.nasl
2010-12-02Name : Fedora Update for phpMyAdmin FEDORA-2010-13402
File : nvt/gb_fedora_2010_13402_phpMyAdmin_fc14.nasl
2010-10-10Name : Debian Security Advisory DSA 2097-1 (phpmyadmin)
File : nvt/deb_2097_1.nasl
2010-10-10Name : Debian Security Advisory DSA 2097-2 (phpmyadmin)
File : nvt/deb_2097_2.nasl
2010-10-10Name : FreeBSD Ports: phpMyAdmin
File : nvt/freebsd_phpMyAdmin21.nasl
2010-09-07Name : Mandriva Update for phpmyadmin MDVSA-2010:164 (phpmyadmin)
File : nvt/gb_mandriva_MDVSA_2010_164.nasl
2010-08-30Name : phpMyAdmin Multiple Cross Site Scripting Vulnerabilities
File : nvt/gb_phpmyadmin_42584.nasl
2010-08-24Name : Fedora Update for phpMyAdmin FEDORA-2010-13249
File : nvt/gb_fedora_2010_13249_phpMyAdmin_fc13.nasl
2010-08-24Name : Fedora Update for phpMyAdmin FEDORA-2010-13258
File : nvt/gb_fedora_2010_13258_phpMyAdmin_fc12.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
67491phpMyAdmin libraries/sqlparser.lib.php Unspecified Parameter XSS
67490phpMyAdmin libraries/sanitizing.lib.php Unspecified Parameter XSS
67489phpMyAdmin libraries/db_info.inc.php Unspecified Parameter XSS
67488phpMyAdmin libraries/dbi/mysqli.dbi.lib.php Unspecified Parameter XSS
67487phpMyAdmin libraries/dbi/mysql.dbi.lib.php Unspecified Parameter XSS
67486phpMyAdmin libraries/database_interface.lib.php Unspecified Parameter XSS
67485phpMyAdmin libraries/common.lib.php Unspecified Parameter XSS
67343phpMyAdmin Extension for TYPO3 Multiple Unspecified XSS
67325phpMyAdmin tbl_sql.php Unspecified Parameter XSS
67324phpMyAdmin tbl_replace.php fields[multi_edit][] Parameter XSS
67323phpMyAdmin sql.php Multiple Parameter XSS
67322phpMyAdmin setup/config.php DefaultLang Parameter XSS
67321phpMyAdmin server_privileges.php Multiple Parameter XSS
67320phpMyAdmin server_databases.php sort_by Parameter XSS
67319phpMyAdmin js/messages.php db Parameter XSS
67318phpMyAdmin db_structure.php sort Parameter XSS
67317phpMyAdmin db_sql.php delimiter Parameter XSS
67316phpMyAdmin db_search.php field_str Parameter XSS

Nessus® Vulnerability Scanner

DateDescription
2012-01-05Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201201-01.nasl - Type : ACT_GATHER_INFO
2010-08-30Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2097.nasl - Type : ACT_GATHER_INFO
2010-08-24Name : The remote Fedora host is missing a security update.
File : fedora_2010-13402.nasl - Type : ACT_GATHER_INFO
2010-08-23Name : The remote Fedora host is missing a security update.
File : fedora_2010-13249.nasl - Type : ACT_GATHER_INFO
2010-08-23Name : The remote Fedora host is missing a security update.
File : fedora_2010-13258.nasl - Type : ACT_GATHER_INFO
2010-08-23Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_274922b8ad2011dfaf1f00e0814cab4e.nasl - Type : ACT_GATHER_INFO

Internal Sources (Detail)

SourceUrl
BIDhttp://www.securityfocus.com/bid/42584
CONFIRMhttp://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
https://bugzilla.redhat.com/show_bug.cgi?id=625877
DEBIANhttp://www.debian.org/security/2010/dsa-2097
FEDORAhttp://lists.fedoraproject.org/pipermail/package-announce/2010-August/045991....
http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045997....
MANDRIVAhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:163
http://www.mandriva.com/security/advisories?name=MDVSA-2010:164
MISChttp://yehg.net/lab/pr0js/advisories/phpmyadmin/%5Bphpmyadmin-3.3.5%5D_cross_...
SECUNIAhttp://secunia.com/advisories/41000
http://secunia.com/advisories/41185
VUPENhttp://www.vupen.com/english/advisories/2010/2223
http://www.vupen.com/english/advisories/2010/2231

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2014-02-17 10:56:55
  • Multiple Updates
2013-05-10 23:30:39
  • Multiple Updates