[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [ GLSA 201201-01 ] phpMyAdmin: Multiple vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] [ GLSA 201201-01 ] phpMyAdmin: Multiple vulnerabilities
- From: Ingo Schmitt <ingo.schmitt@xxxxxxxxxxxxxxxxx>
- Date: Fri, 06 Jan 2012 13:11:56 +0100
Hi, does an attacker need to be logged on with an valid account to PMA
in order to explode this issues?
Thx,
Ingo
On 01/05/12 00:53, Tim Sammut wrote:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory GLSA 201201-01
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Severity: High
> Title: phpMyAdmin: Multiple vulnerabilities
> Date: January 04, 2012
> Bugs: #302745, #335490, #336462, #354227, #373951, #376369,
> #387413, #389427, #395715
> ID: 201201-01
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> ========
>
> Multiple vulnerabilities were found in phpMyAdmin, the most severe of
> which allows the execution of arbitrary PHP code.
>
> Background
> ==========
>
> phpMyAdmin is a web-based management tool for MySQL databases.
>
> Affected packages
> =================
>
> -------------------------------------------------------------------
> Package / Vulnerable / Unaffected
> -------------------------------------------------------------------
> 1 dev-db/phpmyadmin < 3.4.9 >= 3.4.9
>
> Description
> ===========
>
> Multiple vulnerabilities have been discovered in phpMyAdmin. Please
> review the CVE identifiers and phpMyAdmin Security Advisories
> referenced below for details.
>
> Impact
> ======
>
> Remote attackers might be able to insert and execute PHP code, include
> and execute local PHP files, or perform Cross-Site Scripting (XSS)
> attacks via various vectors.
>
> Workaround
> ==========
>
> There is no known workaround at this time.
>
> Resolution
> ==========
>
> All phpMyAdmin users should upgrade to the latest version:
>
> # emerge --sync
> # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-3.4.9"
>
> References
> ==========
>
> [ 1 ] CVE-2008-7251
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7251
> [ 2 ] CVE-2008-7252
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7252
> [ 3 ] CVE-2010-2958
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2958
> [ 4 ] CVE-2010-3055
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3055
> [ 5 ] CVE-2010-3056
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3056
> [ 6 ] CVE-2010-3263
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3263
> [ 7 ] CVE-2011-0986
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0986
> [ 8 ] CVE-2011-0987
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0987
> [ 9 ] CVE-2011-2505
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2505
> [ 10 ] CVE-2011-2506
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2506
> [ 11 ] CVE-2011-2507
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2507
> [ 12 ] CVE-2011-2508
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2508
> [ 13 ] CVE-2011-2642
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2642
> [ 14 ] CVE-2011-2643
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2643
> [ 15 ] CVE-2011-2718
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2718
> [ 16 ] CVE-2011-2719
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2719
> [ 17 ] CVE-2011-3646
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646
> [ 18 ] CVE-2011-4064
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064
> [ 19 ] CVE-2011-4107
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107
> [ 20 ] CVE-2011-4634
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634
> [ 21 ] CVE-2011-4780
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4780
> [ 22 ] CVE-2011-4782
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4782
> [ 23 ] PMASA-2010-1
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php
> [ 24 ] PMASA-2010-2
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php
> [ 25 ] PMASA-2010-4
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php
> [ 26 ] PMASA-2010-5
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
> [ 27 ] PMASA-2010-6
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php
> [ 28 ] PMASA-2010-7
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php
> [ 29 ] PMASA-2011-1
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php
> [ 30 ] PMASA-2011-10
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php
> [ 31 ] PMASA-2011-11
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php
> [ 32 ] PMASA-2011-12
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php
> [ 33 ] PMASA-2011-15
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php
> [ 34 ] PMASA-2011-16
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
> [ 35 ] PMASA-2011-17
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
> [ 36 ] PMASA-2011-18
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php
> [ 37 ] PMASA-2011-19
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php
> [ 38 ] PMASA-2011-2
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php
> [ 39 ] PMASA-2011-20
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php
> [ 40 ] PMASA-2011-5
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php
> [ 41 ] PMASA-2011-6
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php
> [ 42 ] PMASA-2011-7
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php
> [ 43 ] PMASA-2011-8
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php
> [ 44 ] PMASA-2011-9
> http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-201201-01.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users' machines is of utmost
> importance to us. Any security concerns should be addressed to
> security@xxxxxxxxxx or alternatively, you may file a bug at
> https://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2012 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
>
> http://creativecommons.org/licenses/by-sa/2.5
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/