Bugtraq mailing list archives
[ GLSA 200906-03 ] phpMyAdmin: Multiple vulnerabilities
From: Alex Legler <a3li () gentoo org>
Date: Tue, 30 Jun 2009 00:39:40 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200906-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: phpMyAdmin: Multiple vulnerabilities Date: June 29, 2009 Bugs: #263711 ID: 200906-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple errors in phpMyAdmin might allow the remote execution of arbitrary code or a Cross-Site Scripting attack. Background ========== phpMyAdmin is a web-based management tool for MySQL databases. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-db/phpmyadmin < 2.11.9.5 >= 2.11.9.5 Description =========== Multiple vulnerabilities have been reported in phpMyAdmin: * Greg Ose discovered that the setup script does not sanitize input properly, leading to the injection of arbitrary PHP code into the configuration file (CVE-2009-1151). * Manuel Lopez Gallego and Santiago Rodriguez Collazo reported that data from cookies used in the "Export" page is not properly sanitized (CVE-2009-1150). Impact ====== A remote unauthorized attacker could exploit the first vulnerability to execute arbitrary code with the privileges of the user running phpMyAdmin and conduct Cross-Site Scripting attacks using the second vulnerability. Workaround ========== Removing the "scripts/setup.php" file protects you from CVE-2009-1151. Resolution ========== All phpMyAdmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.11.9.5" References ========== [ 1 ] CVE-2009-1150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1150 [ 2 ] CVE-2009-1151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1151 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200906-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- [ GLSA 200906-03 ] phpMyAdmin: Multiple vulnerabilities Alex Legler (Jun 30)