Executive Summary
Summary | |
---|---|
Title | New phpmyadmin packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-2034 | First vendor Publication | 2010-04-17 |
Vendor | Debian | Last vendor Modification | 2010-04-17 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-7251 phpMyAdmin may create a temporary directory, if the configured directory does not exist yet, with insecure filesystem permissions. CVE-2008-7252 phpMyAdmin uses predictable filenames for temporary files, which may lead to a local denial of service attack or privilege escalation. CVE-2009-4605 The setup.php script shipped with phpMyAdmin may unserialize untrusted data, allowing for cross site request forgery. For the stable distribution (lenny), these problems have been fixed in version phpmyadmin 2.11.8.1-5+lenny4. For the unstable distribution (sid), these problems have been fixed in version 3.2.4-1. We recommend that you upgrade your phpmyadmin package. |
Original Source
Url : http://www.debian.org/security/2010/dsa-2034 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-310 | Cryptographic Issues |
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13161 | |||
Oval ID: | oval:org.mitre.oval:def:13161 | ||
Title: | DSA-2034-1 phpmyadmin -- several | ||
Description: | Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-7251 phpMyAdmin may create a temporary directory, if the configured directory does not exist yet, with insecure filesystem permissions. CVE-2008-7252 phpMyAdmin uses predictable filenames for temporary files, which may lead to a local denial of service attack or privilege escalation. CVE-2009-4605 The setup.php script shipped with phpMyAdmin may unserialize untrusted data, allowing for cross site request forgery. For the stable distribution, these problems have been fixed in version phpmyadmin 4:2.11.8.1-5+lenny4. For the unstable distribution, these problems have been fixed in version 3.2.4-1. We recommend that you upgrade your phpmyadmin package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2034-1 CVE-2008-7251 CVE-2008-7252 CVE-2009-4605 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | phpmyadmin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7290 | |||
Oval ID: | oval:org.mitre.oval:def:7290 | ||
Title: | DSA-2034 phpmyadmin -- several vulnerabilities | ||
Description: | Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: phpMyAdmin may create a temporary directory, if the configured directory does not exist yet, with insecure filesystem permissions. phpMyAdmin uses predictable filenames for temporary files, which may lead to a local denial of service attack or privilege escalation. The setup.php script shipped with phpMyAdmin may unserialize untrusted data, allowing for cross site request forgery. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2034 CVE-2008-7251 CVE-2008-7252 CVE-2009-4605 | Version: | 7 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | phpmyadmin |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-02-12 | Name : Gentoo Security Advisory GLSA 201201-01 (phpMyAdmin) File : nvt/glsa_201201_01.nasl |
2010-05-04 | Name : Debian Security Advisory DSA 2034-1 (phpmyadmin) File : nvt/deb_2034_1.nasl |
2010-04-20 | Name : phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability File : nvt/gb_phpmyadmin_37861.nasl |
2010-01-18 | Name : phpMyAdmin Insecure Temporary File and Directory Creation Vulnerabilities File : nvt/phpmyadmin_37826.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61861 | phpMyAdmin scripts/setup.php unserialize Function Multiple Parameter CSRF |
61860 | phpMyAdmin libraries/File.class.php Temporary File Predictible Filename Weakn... |
61859 | phpMyAdmin libraries/File.class.php Temporary Directory Permission Weakness U... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-01-05 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201201-01.nasl - Type : ACT_GATHER_INFO |
2010-04-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2034.nasl - Type : ACT_GATHER_INFO |
2010-01-27 | Name : The remote web server contains a PHP application that may allow execution of ... File : phpmyadmin_pmasa_2010_3.nasl - Type : ACT_GATHER_INFO |
2010-01-18 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_phpMyAdmin-091209.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:29:23 |
|