phpMyAdmin Code Injection and Information Disclosure Vulnerabilities


Description   Multiple vulnerabilities have been identified in phpMyAdmin, which could be exploited by attackers to bypass restrictions, disclose sensitive information or compromise a vulnerable web server. These issues are caused by input validation errors related to PHP session superglobals, Swekey authentication, setup script, regular expression quoting in Synchronize code, and MIME-type transformation, which could allow session manipulation, directory traversal, or code injection attacks.
     
Vulnerable Products   Vulnerable Software:
phpMyAdmin versions prior to 3.3.10.2phpMyAdmin versions prior to 3.4.3.1
     
Solution   Upgrade to phpMyAdmin version 3.3.10.2 or 3.4.3.1 : http://www.phpmyadmin.net/home_page/downloads.php
     
CVE   CVE-2011-2508
CVE-2011-2507
CVE-2011-2506
CVE-2011-2505
     
References   http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php
http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Escaped NULL char in URL
3.2.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2011-07-04 

 Target Type 
Server 

 Possible exploit 
Local & Remote