phpMyAdmin Content Spoofing Vulnerability Fixed by 4.4.15.1 and 4.5.1


Description   (:A vulnerability was reported in phpMyAdmin.:A remote attacker could exploit it by enticing their victim into following a specially crafted URL in order to redirect them to an arbitrary website.::This vulnerability is located in the "url" parameter of the "url.php" page.::The phpMyAdmin packages provided by FreeBSD are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 21, 22, 23FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 7, 8openSUSE (SUSE) - 13.1, 13.2Vulnerable Software:
PhpMyAdmin (PhpMyAdmin) - 4.4.x, 4.5
     
Solution   Fixed php-udan11-sql-parser and phpMyAdmin packages for Fedora 21 and 23 are available.
     
CVE   CVE-2015-7873
     
References   - PMASA-2015-5 : Content spoofing vulnerability when redirecting user to an external site
https://www.phpmyadmin.net/security/PMASA-2015-5/
- VuXML : phpMyAdmin -- Content spoofing vulnerability
http://www.vuxml.org/freebsd/08d11134-79c5-11e5-8987-6805ca0b3d42.html
- DSA 3382-1 : phpmyadmin security update
https://lists.debian.org/debian-security-announce/2015/msg00281.html
- FEDORA-2015-17908 : Fedora 22 Update: phpMyAdmin-4.5.1-1.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169987.html
- FEDORA-2015-17908 : Fedora 22 Update: php-udan11-sql-parser-3.0.4-1.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2015-October/169986.html
- openSUSE-SU-2015:1929-1 : Security update for phpMyAdmin
http://lists.opensuse.org/opensuse-updates/2015-11/msg00044.html
- FEDORA-2015-287 : Fedora 23 Update: phpMyAdmin-4.5.1-1.fc23
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171311.html
- FEDORA-2015-287 : Fedora 23 Update: php-udan11-sql-parser-3.0.4-1.fc23
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171310.html
- FEDORA-2015-5 : Fedora 21 Update: php-udan11-sql-parser-3.0.4-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171326.html
- FEDORA-2015-5 : Fedora 21 Update: phpMyAdmin-4.5.1-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/171327.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Site with open redirect
4.0.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-10-23 

 Target Type 
Server 

 Possible exploit 
Remote