Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Informations | |||
|---|---|---|---|
| Name | CVE-2010-3056 | First vendor Publication | 2010-08-24 |
| Vendor | Cve | Last vendor Modification | 2011-01-28 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi/mysql.dbi.lib.php, (8) libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10) libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12) server_databases.php, (13) server_privileges.php, (14) setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17) tbl_sql.php. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3056 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:12436 | |||
| Oval ID: | oval:org.mitre.oval:def:12436 | ||
| Title: | DSA-2097-2 phpmyadmin -- insufficient input sanitising | ||
| Description: | The update in DSA 2097 for phpMyAdmin did not correctly apply the intended changes, thereby not completely addressing the vulnerabilities. Updated packages now fix the issues described in the original advisory text below. Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3055 The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. CVE-2010-3056 Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML. For the stable distribution, these problems have been fixed in version 4:2.11.8.1-5+lenny6. For the testing and unstable distribution, these problems have been fixed in version 3.3.5.1-1. We recommend that you upgrade your phpmyadmin package. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2097-2 CVE-2010-3055 CVE-2010-3056 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | phpmyadmin |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:12807 | |||
| Oval ID: | oval:org.mitre.oval:def:12807 | ||
| Title: | DSA-2097-1 phpmyadmin -- insufficient input sanitising | ||
| Description: | Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3055 The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. CVE-2010-3056 Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML. For the stable distribution, these problems have been fixed in version 4:2.11.8.1-5+lenny5. For the testing and unstable distribution, these problems have been fixed in version 3.3.5.1-1. We recommend that you upgrade your phpmyadmin package. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2097-1 CVE-2010-3055 CVE-2010-3056 | Version: | 7 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | phpmyadmin |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-02-12 | Name : Gentoo Security Advisory GLSA 201201-01 (phpMyAdmin) File : nvt/glsa_201201_01.nasl |
| 2010-12-02 | Name : Fedora Update for phpMyAdmin FEDORA-2010-13402 File : nvt/gb_fedora_2010_13402_phpMyAdmin_fc14.nasl |
| 2010-10-10 | Name : Debian Security Advisory DSA 2097-1 (phpmyadmin) File : nvt/deb_2097_1.nasl |
| 2010-10-10 | Name : Debian Security Advisory DSA 2097-2 (phpmyadmin) File : nvt/deb_2097_2.nasl |
| 2010-10-10 | Name : FreeBSD Ports: phpMyAdmin File : nvt/freebsd_phpMyAdmin21.nasl |
| 2010-09-07 | Name : Mandriva Update for phpmyadmin MDVSA-2010:164 (phpmyadmin) File : nvt/gb_mandriva_MDVSA_2010_164.nasl |
| 2010-08-30 | Name : phpMyAdmin Multiple Cross Site Scripting Vulnerabilities File : nvt/gb_phpmyadmin_42584.nasl |
| 2010-08-24 | Name : Fedora Update for phpMyAdmin FEDORA-2010-13249 File : nvt/gb_fedora_2010_13249_phpMyAdmin_fc13.nasl |
| 2010-08-24 | Name : Fedora Update for phpMyAdmin FEDORA-2010-13258 File : nvt/gb_fedora_2010_13258_phpMyAdmin_fc12.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 67491 | phpMyAdmin libraries/sqlparser.lib.php Unspecified Parameter XSS |
| 67490 | phpMyAdmin libraries/sanitizing.lib.php Unspecified Parameter XSS |
| 67489 | phpMyAdmin libraries/db_info.inc.php Unspecified Parameter XSS |
| 67488 | phpMyAdmin libraries/dbi/mysqli.dbi.lib.php Unspecified Parameter XSS |
| 67487 | phpMyAdmin libraries/dbi/mysql.dbi.lib.php Unspecified Parameter XSS |
| 67486 | phpMyAdmin libraries/database_interface.lib.php Unspecified Parameter XSS |
| 67485 | phpMyAdmin libraries/common.lib.php Unspecified Parameter XSS |
| 67343 | phpMyAdmin Extension for TYPO3 Multiple Unspecified XSS |
| 67325 | phpMyAdmin tbl_sql.php Unspecified Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate an unspecified parameter upon submission to the 'tbl_sql.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67324 | phpMyAdmin tbl_replace.php fields[multi_edit][] Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the fields[multi_edit][]' parameter upon submission to the 'tbl_replace.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67323 | phpMyAdmin sql.php Multiple Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'cpurge', 'goto', 'purge', 'purgekey', 'table', and 'zero_rows' parameters upon submission to the 'sql.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67322 | phpMyAdmin setup/config.php DefaultLang Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'DefaultLang' parameter upon submission to the 'setup/config.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67321 | phpMyAdmin server_privileges.php Multiple Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'checkprivs', 'dbname', 'pred_tablename', 'selected_usr[]', 'tablename', and 'username' upon submission to the 'server_privileges.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67320 | phpMyAdmin server_databases.php sort_by Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'sort_by' parameter upon submission to the 'server_databases.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67319 | phpMyAdmin js/messages.php db Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'db' parameter upon submission to the 'js/messages.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67318 | phpMyAdmin db_structure.php sort Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'sort' parameter upon submission to the 'db_structure.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67317 | phpMyAdmin db_sql.php delimiter Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'delimiter' parameter upon submission to the 'db_sql.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
| 67316 | phpMyAdmin db_search.php field_str Parameter XSS phpMyAdmin contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'field_str' parameter upon submission to the 'db_search.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2012-01-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201201-01.nasl - Type : ACT_GATHER_INFO |
| 2010-08-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2097.nasl - Type : ACT_GATHER_INFO |
| 2010-08-24 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13402.nasl - Type : ACT_GATHER_INFO |
| 2010-08-23 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13249.nasl - Type : ACT_GATHER_INFO |
| 2010-08-23 | Name : The remote Fedora host is missing a security update. File : fedora_2010-13258.nasl - Type : ACT_GATHER_INFO |
| 2010-08-23 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_274922b8ad2011dfaf1f00e0814cab4e.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2021-05-04 12:12:05 |
|
| 2021-04-22 01:12:32 |
|
| 2020-05-23 00:26:18 |
|
| 2016-04-26 20:01:46 |
|
| 2014-02-17 10:56:55 |
|
| 2013-05-10 23:30:39 |
|
