Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title New phpmyadmin packages fix several vulnerabilities
Informations
Name DSA-2139 First vendor Publication 2010-12-31
Vendor Debian Last vendor Modification 2010-12-31
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2010-4329

Cross site scripting was possible in search, that allowed a remote attacker to inject arbitrary web script or HTML.

CVE-2010-4480

Cross site scripting was possible in errors, that allowed a remote attacker to inject arbitrary web script or HTML.

CVE-2010-4481

Display of PHP's phpinfo() function was available to world, but only if this functionality had been enabled (defaults to off). This may leak some information about the host system.

For the stable distribution (lenny), these problems have been fixed in version 2.11.8.1-5+lenny7.

For the testing (squeeze) and unstable distribution (sid), these problems have been fixed in version 3.3.7-3.

We recommend that you upgrade your phpmyadmin package.

Original Source

Url : http://www.debian.org/security/2010/dsa-2139

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
33 % CWE-287 Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20117
 
Oval ID: oval:org.mitre.oval:def:20117
Title: DSA-2139-1 phpmyadmin - several
Description: Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web.
Family: unix Class: patch
Reference(s): DSA-2139-1
CVE-2010-4329
CVE-2010-4480
CVE-2010-4481
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): phpmyadmin
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 254

OpenVAS Exploits

Date Description
2011-04-01 Name : Fedora Update for phpMyAdmin FEDORA-2011-3733
File : nvt/gb_fedora_2011_3733_phpMyAdmin_fc13.nasl
2011-04-01 Name : Fedora Update for phpMyAdmin FEDORA-2011-3737
File : nvt/gb_fedora_2011_3737_phpMyAdmin_fc14.nasl
2011-03-07 Name : Debian Security Advisory DSA 2139-1 (phpmyadmin)
File : nvt/deb_2139_1.nasl
2011-01-24 Name : FreeBSD Ports: phpMyAdmin
File : nvt/freebsd_phpMyAdmin22.nasl
2011-01-11 Name : Mandriva Update for phpmyadmin MDVSA-2011:000 (phpmyadmin)
File : nvt/gb_mandriva_MDVSA_2011_000.nasl
2010-12-27 Name : phpMyAdmin 'phpinfo.php' Security bypass Vulnerability
File : nvt/gb_phpmyadmin_security_bypass_vuln.nasl
2010-12-23 Name : Fedora Update for phpMyAdmin FEDORA-2010-18343
File : nvt/gb_fedora_2010_18343_phpMyAdmin_fc14.nasl
2010-12-23 Name : Fedora Update for phpMyAdmin FEDORA-2010-18371
File : nvt/gb_fedora_2010_18371_phpMyAdmin_fc13.nasl
2010-12-13 Name : phpMyAdmin 'error.php' Cross Site Scripting Vulnerability
File : nvt/gb_phpmyadmin_bbcode_xss_vuln.nasl
2010-12-09 Name : Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin)
File : nvt/gb_mandriva_MDVSA_2010_244.nasl
2010-12-09 Name : phpMyAdmin Database Search Cross Site Scripting Vulnerability
File : nvt/gb_phpmyadmin_45100.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
69932 phpMyAdmin phpinfo.php Direct Request Authentication Bypass

phpMyAdmin contains a flaw related to the phpinfo function .The issue is triggered when a remote attacker sends a direct request to the phpinfo.php script. This may allow an attacker to bypass authentication and obtain sensitive information.
69684 PhpMyAdmin error.php BBcode Tag XSS

PhpMyAdmin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate BBcode tags upon submission to the 'error.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
69516 phpMyAdmin Database Search libraries/common.lib.php tag_params Parameter XSS

phpMyAdmin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'tag_params' parameter upon submission to the global search script (libraries/common.lib.php). This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Nessus® Vulnerability Scanner

Date Description
2011-03-30 Name : The remote Fedora host is missing a security update.
File : fedora_2011-3733.nasl - Type : ACT_GATHER_INFO
2011-03-30 Name : The remote Fedora host is missing a security update.
File : fedora_2011-3737.nasl - Type : ACT_GATHER_INFO
2011-03-27 Name : The remote Fedora host is missing a security update.
File : fedora_2011-3761.nasl - Type : ACT_GATHER_INFO
2011-01-06 Name : The remote web server hosts a PHP script that is prone to a cross- site scrip...
File : phpmyadmin_pmasa_2010_9.nasl - Type : ACT_ATTACK
2011-01-03 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2139.nasl - Type : ACT_GATHER_INFO
2010-12-09 Name : The remote Fedora host is missing a security update.
File : fedora_2010-18343.nasl - Type : ACT_GATHER_INFO
2010-12-09 Name : The remote Fedora host is missing a security update.
File : fedora_2010-18371.nasl - Type : ACT_GATHER_INFO
2010-11-30 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_753f81855ba942a4be023f55ee580093.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:29:46
  • Multiple Updates