Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2009-3697 First vendor Publication 2009-10-16
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3697

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13743
 
Oval ID: oval:org.mitre.oval:def:13743
Title: DSA-1918-1 phpmyadmin -- several
Description: Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3696 Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. CVE-2009-3697 SQL injection vulnerability in the PDF schema generator functionality allows remote attackers to execute arbitrary SQL commands. This issue does not apply to the version in Debian 4.0 Etch. Additionally, extra fortification has been added for the web based setup.php script. Although the shipped web server configuration should ensure that this script is protected, in practice this turned out not always to be the case. The config.inc.php file is not writable anymore by the webserver user anymore. See README.Debian for details on how to enable the setup.php script if and when you need it. For the old stable distribution, these problems have been fixed in version 4:2.9.1.1-13. For the stable distribution, these problems have been fixed in version 4:2.11.8.1-5+lenny3. For the unstable distribution, these problems have been fixed in version 3.2.2.1-1. We recommend that you upgrade your phpmyadmin package.
Family: unix Class: patch
Reference(s): DSA-1918-1
CVE-2009-3696
CVE-2009-3697
 Version: 7
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): phpmyadmin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7924
 
Oval ID: oval:org.mitre.oval:def:7924
Title: DSA-1918 phpmyadmin -- several vulnerabilities
Description: Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name. SQL injection vulnerability in the PDF schema generator functionality allows remote attackers to execute arbitrary SQL commands. This issue does not apply to the version in Debian 4.0 Etch. Additionally, extra fortification has been added for the web based setup.php script. Although the shipped web server configuration should ensure that this script is protected, in practice this turned out not always to be the case. The config.inc.php file is not writable anymore by the webserver user. See README.Debian for details on how to enable the setup.php script if and when you need it.
Family: unix Class: patch
Reference(s): DSA-1918
CVE-2009-3696
CVE-2009-3697
 Version: 3
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
 Product(s): phpmyadmin
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 69

OpenVAS Exploits

Date Description
2009-10-27 Name : Debian Security Advisory DSA 1918-1 (phpmyadmin)
File : nvt/deb_1918_1.nasl
2009-10-27 Name : SuSE Security Summary SUSE-SR:2009:017
File : nvt/suse_sr_2009_017.nasl
2009-10-19 Name : FreeBSD Ports: phpMyAdmin
File : nvt/freebsd_phpMyAdmin20.nasl
2009-10-19 Name : Mandrake Security Advisory MDVSA-2009:274 (phpmyadmin)
File : nvt/mdksa_2009_274.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
59046 phpMyAdmin PDF Schema Generator Functionality Unspecified SQL Injection

Nessus® Vulnerability Scanner

Date Description
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1918.nasl - Type : ACT_GATHER_INFO
2009-10-30 Name : The remote openSUSE host is missing a security update.
File : suse_phpMyAdmin-6570.nasl - Type : ACT_GATHER_INFO
2009-10-23 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_phpMyAdmin-091016.nasl - Type : ACT_GATHER_INFO
2009-10-16 Name : The remote Fedora host is missing a security update.
File : fedora_2009-10510.nasl - Type : ACT_GATHER_INFO
2009-10-16 Name : The remote Fedora host is missing a security update.
File : fedora_2009-10530.nasl - Type : ACT_GATHER_INFO
2009-10-15 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_4769914eb84411deb1590030843d3802.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

http://bugs.gentoo.org/show_bug.cgi?id=288899
http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/2.11.9.6/phpMyAdm...
http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.2.2.1/phpMyAdmi...
http://freshmeat.net/projects/phpmyadmin/releases/306667
http://freshmeat.net/projects/phpmyadmin/releases/306669
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
http://marc.info/?l=oss-security&m=125553728512853&w=2
http://marc.info/?l=oss-security&m=125561979001460&w=2
http://secunia.com/advisories/37016
http://typo3.org/extensions/repository/view/phpmyadmin/4.5.0/
http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-015/
http://www.mandriva.com/security/advisories?name=MDVSA-2009:274
http://www.phpmyadmin.net/home_page/security/PMASA-2009-6.php
http://www.securityfocus.com/bid/36658
http://www.vupen.com/english/advisories/2009/2899
https://bugzilla.redhat.com/show_bug.cgi?id=528769
https://exchange.xforce.ibmcloud.com/vulnerabilities/53741
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00467...
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00490...
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
Date Informations
2024-11-28 23:10:11
  • Multiple Updates
2024-11-28 12:20:02
  • Multiple Updates
2021-05-04 12:10:21
  • Multiple Updates
2021-04-22 01:10:47
  • Multiple Updates
2020-05-23 00:24:28
  • Multiple Updates
2017-08-17 09:22:45
  • Multiple Updates
2016-04-26 19:12:30
  • Multiple Updates
2014-02-17 10:52:03
  • Multiple Updates
2013-05-10 23:59:37
  • Multiple Updates