8.5 - GLSA-200903-32

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	phpMyAdmin: Multiple vulnerabilities

Informations
Name	GLSA-200903-32	First vendor Publication	2009-03-18
Vendor	Gentoo	Last vendor Modification	2009-03-18
Severity (Vendor)	Normal	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Cvss Base Score	8.5	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	6.8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been discovered in phpMyAdmin, the worst of which may allow for remote code execution.

Background

phpMyAdmin is a web-based management tool for MySQL databases.

Description

Multiple vulnerabilities have been reported in phpMyAdmin:

* libraries/database_interface.lib.php in phpMyAdmin allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function (CVE-2008-4096).

* Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows remote attackers to inject arbitrary web script or HTML via the db parameter, a different vector than CVE-2006-6942 and CVE-2007-5977
(CVE-2008-4775).

* Cross-site request forgery (CSRF) vulnerability in phpMyAdmin allows remote authenticated attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code (CVE-2008-5621).

* Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin allow remote attackers to conduct SQL injection attacks via unknown vectors related to the table parameter, a different vector than CVE-2008-5621 (CVE-2008-5622).

Impact

A remote attacker may execute arbitrary code with the rights of the webserver, inject and execute SQL with the rights of phpMyAdmin or conduct XSS attacks against other users.

Workaround

There is no known workaround at this time.

Resolution

All phpMyAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.11.9.4"

References

[ 1 ] CVE-2006-6942 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6942
[ 2 ] CVE-2007-5977 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5977
[ 3 ] CVE-2008-4096 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4096
[ 4 ] CVE-2008-4775 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4775
[ 5 ] CVE-2008-5621 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5621
[ 6 ] CVE-2008-5622 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5622

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200903-32.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200903-32.xml

CWE : Common Weakness Enumeration

%	Id	Name
60 %	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
20 %	CWE-352	Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
20 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13581

Oval ID:	oval:org.mitre.oval:def:13581
Title:	DSA-1723-1 phpmyadmin -- insufficient input sanitising
Description:	Michael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver. For the stable distribution, this problem has been fixed in version 4:2.9.1.1-10. For the testing distribution and unstable distribution, this problem has been fixed in version 2.11.8.1-5. We recommend that you upgrade your phpmyadmin package.
Family:	unix	Class:	patch
Reference(s):	DSA-1723-1 CVE-2008-5621	Version:	7
Platform(s):	Debian GNU/Linux 4.0	Product(s):	phpmyadmin
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND phpmyadmin DPKG is earlier than 4:2.9.1.1-10

Definition Id: oval:org.mitre.oval:def:8145

Oval ID:	oval:org.mitre.oval:def:8145
Title:	DSA-1723 phpmyadmin -- insufficient input sanitising
Description:	Michael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver.
Family:	unix	Class:	patch
Reference(s):	DSA-1723 CVE-2008-5621	Version:	5
Platform(s):	Debian GNU/Linux 4.0	Product(s):	phpmyadmin
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND phpmyadmin is earlier than 4:2.9.1.1-10

Definition Id: oval:org.mitre.oval:def:8155

Oval ID:	oval:org.mitre.oval:def:8155
Title:	DSA-1641 phpmyadmin -- several vulnerabilities
Description:	Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administrate MySQL databases over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Remote authenticated users could execute arbitrary code on the host running phpMyAdmin through manipulation of a script parameter. Crossite scripting through the setup script was possible in rare circumstances. Protection has been added against remote websites loading phpMyAdmin into a frameset. Cross site request forgery allowed remote attackers to create a new database, but not perform any other action on it.
Family:	unix	Class:	patch
Reference(s):	DSA-1641 CVE-2008-3197 CVE-2008-3456 CVE-2008-3457 CVE-2008-4096	Version:	5
Platform(s):	Debian GNU/Linux 4.0	Product(s):	phpmyadmin
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND Installed architecture is all AND phpmyadmin is earlier than 4:2.9.1.1-8

CPE : Common Platform Enumeration

Type	Description	Count
Application	Phpmyadmin cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.1:rc2:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_dev:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0_beta1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0:beta1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.9.0:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.9_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.9:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.1_dev:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.8.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_pl2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_beta1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.7_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.7:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.3_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_dev:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_pl3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.4.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.3.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.3.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.3.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.7_pl1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.6:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.5:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_pre2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0_pre1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_pre2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2_pre1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0beta1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:rc1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:beta1:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3rc1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.01:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.10.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.1.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.5:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.0.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:2.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.3.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.3.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.3:alpha:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.9.5:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.9.4:b:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.9.4:c:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.9.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.9.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.9.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.9:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.8:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.7:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.6:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.5:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.1.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.8:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.7:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.6:a:::::: cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.6:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.5:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.4:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.3:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.2:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.1:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:1.0.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin:0.9.0:::::::* cpe:2.3:a:phpmyadmin:phpmyadmin::::::::	195
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:4.0:::::::* cpe:2.3:o:debian:debian_linux:3.1:::::::*	2

OpenVAS Exploits

Date	Description
2009-03-21	Name : phpMyAdmin DB_Create.PHP Multiple Input Validation Vulnerabilities File : nvt/phpmyadmin_cve_2007_5976.nasl
2009-03-21	Name : phpMyAdmin Multiple Input Validation Vulnerabilities File : nvt/phpmyadmin_cve_2006_6942.nasl
2009-03-20	Name : Gentoo Security Advisory GLSA 200903-32 (phpmyadmin) File : nvt/glsa_200903_32.nasl
2009-03-02	Name : Mandrake Security Advisory MDVSA-2009:026-1 (phpMyAdmin) File : nvt/mdksa_2009_026_1.nasl
2009-02-27	Name : Fedora Update for phpMyAdmin FEDORA-2007-3627 File : nvt/gb_fedora_2007_3627_phpMyAdmin_fc7.nasl
2009-02-27	Name : Fedora Update for phpMyAdmin FEDORA-2007-3636 File : nvt/gb_fedora_2007_3636_phpMyAdmin_fc8.nasl
2009-02-27	Name : Fedora Update for phpMyAdmin FEDORA-2007-3639 File : nvt/gb_fedora_2007_3639_phpMyAdmin_fc8.nasl
2009-02-27	Name : Fedora Update for phpMyAdmin FEDORA-2007-3666 File : nvt/gb_fedora_2007_3666_phpMyAdmin_fc7.nasl
2009-02-17	Name : Fedora Update for phpMyAdmin FEDORA-2008-9336 File : nvt/gb_fedora_2008_9336_phpMyAdmin_fc8.nasl
2009-02-17	Name : Fedora Update for phpMyAdmin FEDORA-2008-9316 File : nvt/gb_fedora_2008_9316_phpMyAdmin_fc9.nasl
2009-02-17	Name : Fedora Update for phpMyAdmin FEDORA-2008-8335 File : nvt/gb_fedora_2008_8335_phpMyAdmin_fc9.nasl
2009-02-17	Name : Fedora Update for phpMyAdmin FEDORA-2008-8370 File : nvt/gb_fedora_2008_8370_phpMyAdmin_fc9.nasl
2009-02-02	Name : SuSE Security Summary SUSE-SR:2009:003 File : nvt/suse_sr_2009_003.nasl
2009-01-26	Name : Mandrake Security Advisory MDVSA-2009:026 (phpMyAdmin) File : nvt/mdksa_2009_026.nasl
2008-12-23	Name : FreeBSD Ports: phpMyAdmin211 File : nvt/freebsd_phpMyAdmin211.nasl
2008-12-23	Name : phpMyAdmin Multiple CSRF SQL Injection Vulnerabilities File : nvt/gb_phpmyadmin_mult_xsrf_vuln.nasl
2008-11-19	Name : FreeBSD Ports: phpMyAdmin File : nvt/freebsd_phpMyAdmin17.nasl
2008-10-31	Name : phpMyAdmin pmd_pdf.php Cross Site Scripting Vulnerability File : nvt/gb_phpmyadmin_pmd_pdf_xss_vuln.nasl
2008-10-03	Name : phpMyAdmin 'server_databases.php' Remote Command Execution Vulnerability File : nvt/secpod_phpmyadmin_remote_command_exe_vuln_900130.nasl
2008-09-24	Name : FreeBSD Ports: phpMyAdmin File : nvt/freebsd_phpMyAdmin16.nasl
2008-09-24	Name : Debian Security Advisory DSA 1641-1 (phpmyadmin) File : nvt/deb_1641_1.nasl
2008-09-04	Name : FreeBSD Ports: phpMyAdmin File : nvt/freebsd_phpMyAdmin12.nasl
2008-01-17	Name : Debian Security Advisory DSA 1370-2 (phpmyadmin) File : nvt/deb_1370_2.nasl
2008-01-17	Name : Debian Security Advisory DSA 1370-1 (phpmyadmin) File : nvt/deb_1370_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
58824	PhpMyAdmin sql.php pos Parameter XSS PhpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'pos' parameters upon submission to the 'sql.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
58823	PhpMyAdmin querywindow.php Multiple Parameter XSS PhpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'query_history_latest', 'query_history_latest_db', and 'querydisplay_tab' parameters upon submission to the 'querywindow.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
58822	PhpMyAdmin db_operations.php Multiple Parameter XSS PhpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'newname' and table name comment parameters upon submission to the 'db_operations.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
58821	PhpMyAdmin db_create.php db Parameter XSS PhpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'db' parameters upon submission to the 'db_create.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
51237	phpMyAdmin table Parameter Unspecified CSRF
50634	phpMyAdmin tbl_structure.php table Parameter CSRF
49692	TYPO3 phpMyAdmin Extension pmd_pdf.php db Parameter XSS TYPO3 phpMyAdmin Extension contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the db variable upon submission to the pmd_pdf.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
49437	phpMyAdmin pmd_pdf.php db Parameter XSS
48154	phpMyAdmin server_databases.php sort_by Variable Arbitrary PHP Code Execution
38714	phpMyAdmin db_create.php db Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'db' variable upon submission to the 'db_create.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Nessus® Vulnerability Scanner

Date	Description
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_0_phpMyAdmin-090119.nasl - Type : ACT_GATHER_INFO
2009-03-19	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200903-32.nasl - Type : ACT_GATHER_INFO
2009-02-13	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1723.nasl - Type : ACT_GATHER_INFO
2009-01-22	Name : The remote openSUSE host is missing a security update. File : suse_phpMyAdmin-5935.nasl - Type : ACT_GATHER_INFO
2008-12-15	Name : The remote Fedora host is missing a security update. File : fedora_2008-11221.nasl - Type : ACT_GATHER_INFO
2008-12-12	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_54f72962c7ba11dda7210030843d3802.nasl - Type : ACT_GATHER_INFO
2008-11-03	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_85b0bbc8a7a511dd8283001c2514716c.nasl - Type : ACT_GATHER_INFO
2008-11-03	Name : The remote Fedora host is missing a security update. File : fedora_2008-9336.nasl - Type : ACT_GATHER_INFO
2008-11-03	Name : The remote Fedora host is missing a security update. File : fedora_2008-9316.nasl - Type : ACT_GATHER_INFO
2008-09-25	Name : The remote Fedora host is missing a security update. File : fedora_2008-8335.nasl - Type : ACT_GATHER_INFO
2008-09-25	Name : The remote Fedora host is missing a security update. File : fedora_2008-8370.nasl - Type : ACT_GATHER_INFO
2008-09-25	Name : The remote Fedora host is missing a security update. File : fedora_2008-8286.nasl - Type : ACT_GATHER_INFO
2008-09-25	Name : The remote Fedora host is missing a security update. File : fedora_2008-8269.nasl - Type : ACT_GATHER_INFO
2008-09-23	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1641.nasl - Type : ACT_GATHER_INFO
2008-09-17	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_74bf1594849311ddbb640030843d3802.nasl - Type : ACT_GATHER_INFO
2007-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2007-3666.nasl - Type : ACT_GATHER_INFO
2007-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2007-3639.nasl - Type : ACT_GATHER_INFO
2007-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2007-3636.nasl - Type : ACT_GATHER_INFO
2007-11-26	Name : The remote Fedora host is missing a security update. File : fedora_2007-3627.nasl - Type : ACT_GATHER_INFO
2007-11-12	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_2d2dcbb4906c11dca9510016179b2dd5.nasl - Type : ACT_GATHER_INFO
2007-09-14	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1370.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:36:24	Multiple Updates
2013-05-11 00:45:01	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	5
Oval ID(s)	3
CPE ID(s)	197
osvdb(s)	10
Openvas Exploit(s)	24
Nessus® Exploit(s)	21

	Related
8.5	CVE-2008-4096
6.8	CVE-2006-6942
6	CVE-2008-5621
3.5	CVE-2007-5977
2.6	CVE-2008-4775
0	CVE-2008-5622
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 6 more Alert(s)