Executive Summary
Informations | |||
---|---|---|---|
Name | MDVSA-2011:026 | First vendor Publication | 2011-02-14 |
Vendor | Mandriva | Last vendor Modification | 2011-02-14 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities were discovered and corrected in phpmyadmin: When the files README, ChangeLog or LICENSE have been removed from their original place (possibly by the distributor), the scripts used to display these files can show their full path, leading to possible further attacks (CVE-2011-0986). It was possible to create a bookmark which would be executed unintentionally by other users (CVE-2011-0987). The updated packages have been upgraded to the latest versions to mitigate these issues. |
Original Source
Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:026 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12399 | |||
Oval ID: | oval:org.mitre.oval:def:12399 | ||
Title: | DSA-2167-1 phpmyadmin -- sql injection | ||
Description: | It was discovered that phpMyAdmin, a a tool to administer MySQL over the web, when the bookmarks feature is enabled, allowed to create a bookmarked query which would be executed unintentionally by other users. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2167-1 CVE-2011-0987 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | phpmyadmin |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-02-12 | Name : Gentoo Security Advisory GLSA 201201-01 (phpMyAdmin) File : nvt/glsa_201201_01.nasl |
2011-03-07 | Name : Debian Security Advisory DSA 2167-1 (phpmyadmin) File : nvt/deb_2167_1.nasl |
2011-02-28 | Name : Fedora Update for phpMyAdmin FEDORA-2011-1373 File : nvt/gb_fedora_2011_1373_phpMyAdmin_fc13.nasl |
2011-02-28 | Name : Fedora Update for phpMyAdmin FEDORA-2011-1408 File : nvt/gb_fedora_2011_1408_phpMyAdmin_fc14.nasl |
2011-02-16 | Name : Mandriva Update for phpmyadmin MDVSA-2011:026 (phpmyadmin) File : nvt/gb_mandriva_MDVSA_2011_026.nasl |
2011-02-15 | Name : phpMyAdmin Bookmark Security Bypass Vulnerability File : nvt/gb_phpmyadmin_46359.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
72915 | phpMyAdmin Multiple Nonexistent File Direct Request Installation Path Disclosure phpMyAdmin contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when a direct request to nonexistent README, ChangeLog, or LICENSE files occurs, which will disclose the installation path to a remote attacker. |
70962 | phpMyAdmin SQL Query Bookmarks Arbitrary SQL Query Execution phpMyAdmin contains a flaw related to the 'PMA_Bookmark_get' function in 'libraries/bookmark.lib.php' failing to properly restrict bookmark queries. This makes it easier for a remote authenticated attacker to cause another user to execute bookmarked SQL queries. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-05-23 | Name : The remote web server hosts a PHP application that could be abused to execute... File : phpmyadmin_pmasa_2011_2.nasl - Type : ACT_GATHER_INFO |
2012-01-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201201-01.nasl - Type : ACT_GATHER_INFO |
2011-03-03 | Name : The remote Fedora host is missing a security update. File : fedora_2011-1282.nasl - Type : ACT_GATHER_INFO |
2011-03-01 | Name : The remote Fedora host is missing a security update. File : fedora_2011-1373.nasl - Type : ACT_GATHER_INFO |
2011-03-01 | Name : The remote Fedora host is missing a security update. File : fedora_2011-1408.nasl - Type : ACT_GATHER_INFO |
2011-02-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2167.nasl - Type : ACT_GATHER_INFO |