Executive Summary
Summary | |
---|---|
Title | New phpmyadmin packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-2139 | First vendor Publication | 2010-12-31 |
Vendor | Debian | Last vendor Modification | 2010-12-31 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-4329 Cross site scripting was possible in search, that allowed a remote attacker to inject arbitrary web script or HTML. CVE-2010-4480 Cross site scripting was possible in errors, that allowed a remote attacker to inject arbitrary web script or HTML. CVE-2010-4481 Display of PHP's phpinfo() function was available to world, but only if this functionality had been enabled (defaults to off). This may leak some information about the host system. For the stable distribution (lenny), these problems have been fixed in version 2.11.8.1-5+lenny7. For the testing (squeeze) and unstable distribution (sid), these problems have been fixed in version 3.3.7-3. We recommend that you upgrade your phpmyadmin package. |
Original Source
Url : http://www.debian.org/security/2010/dsa-2139 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
33 % | CWE-287 | Improper Authentication |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20117 | |||
Oval ID: | oval:org.mitre.oval:def:20117 | ||
Title: | DSA-2139-1 phpmyadmin - several | ||
Description: | Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2139-1 CVE-2010-4329 CVE-2010-4480 CVE-2010-4481 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | phpmyadmin |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-04-01 | Name : Fedora Update for phpMyAdmin FEDORA-2011-3733 File : nvt/gb_fedora_2011_3733_phpMyAdmin_fc13.nasl |
2011-04-01 | Name : Fedora Update for phpMyAdmin FEDORA-2011-3737 File : nvt/gb_fedora_2011_3737_phpMyAdmin_fc14.nasl |
2011-03-07 | Name : Debian Security Advisory DSA 2139-1 (phpmyadmin) File : nvt/deb_2139_1.nasl |
2011-01-24 | Name : FreeBSD Ports: phpMyAdmin File : nvt/freebsd_phpMyAdmin22.nasl |
2011-01-11 | Name : Mandriva Update for phpmyadmin MDVSA-2011:000 (phpmyadmin) File : nvt/gb_mandriva_MDVSA_2011_000.nasl |
2010-12-27 | Name : phpMyAdmin 'phpinfo.php' Security bypass Vulnerability File : nvt/gb_phpmyadmin_security_bypass_vuln.nasl |
2010-12-23 | Name : Fedora Update for phpMyAdmin FEDORA-2010-18343 File : nvt/gb_fedora_2010_18343_phpMyAdmin_fc14.nasl |
2010-12-23 | Name : Fedora Update for phpMyAdmin FEDORA-2010-18371 File : nvt/gb_fedora_2010_18371_phpMyAdmin_fc13.nasl |
2010-12-13 | Name : phpMyAdmin 'error.php' Cross Site Scripting Vulnerability File : nvt/gb_phpmyadmin_bbcode_xss_vuln.nasl |
2010-12-09 | Name : Mandriva Update for phpmyadmin MDVSA-2010:244 (phpmyadmin) File : nvt/gb_mandriva_MDVSA_2010_244.nasl |
2010-12-09 | Name : phpMyAdmin Database Search Cross Site Scripting Vulnerability File : nvt/gb_phpmyadmin_45100.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69932 | phpMyAdmin phpinfo.php Direct Request Authentication Bypass phpMyAdmin contains a flaw related to the phpinfo function .The issue is triggered when a remote attacker sends a direct request to the phpinfo.php script. This may allow an attacker to bypass authentication and obtain sensitive information. |
69684 | PhpMyAdmin error.php BBcode Tag XSS PhpMyAdmin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate BBcode tags upon submission to the 'error.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
69516 | phpMyAdmin Database Search libraries/common.lib.php tag_params Parameter XSS phpMyAdmin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'tag_params' parameter upon submission to the global search script (libraries/common.lib.php). This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-03-30 | Name : The remote Fedora host is missing a security update. File : fedora_2011-3733.nasl - Type : ACT_GATHER_INFO |
2011-03-30 | Name : The remote Fedora host is missing a security update. File : fedora_2011-3737.nasl - Type : ACT_GATHER_INFO |
2011-03-27 | Name : The remote Fedora host is missing a security update. File : fedora_2011-3761.nasl - Type : ACT_GATHER_INFO |
2011-01-06 | Name : The remote web server hosts a PHP script that is prone to a cross- site scrip... File : phpmyadmin_pmasa_2010_9.nasl - Type : ACT_ATTACK |
2011-01-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2139.nasl - Type : ACT_GATHER_INFO |
2010-12-09 | Name : The remote Fedora host is missing a security update. File : fedora_2010-18343.nasl - Type : ACT_GATHER_INFO |
2010-12-09 | Name : The remote Fedora host is missing a security update. File : fedora_2010-18371.nasl - Type : ACT_GATHER_INFO |
2010-11-30 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_753f81855ba942a4be023f55ee580093.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:29:46 |
|