Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-1824-1 phpmyadmin -- several vulnerabilities

Related Vulnerabilities: CVE-2009-1150   CVE-2009-1151  

Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-1150 Cross site scripting vulnerability in the export page allow for an attacker that can place crafted cookies with the user to inject arbitrary web script or HTML. CVE-2009-1151 Static code injection allows for a remote attacker to inject arbitrary code into phpMyAdmin via the setup.php script. This script is in Debian under normal circumstances protected via Apache authentication. However, because of a recent worm based on this exploit, we are patching it regardless, to also protect installations that somehow still expose the setup.php script. For the old stable distribution (etch), these problems have been fixed in version 2.9.1.1-11. For the stable distribution (lenny), these problems have been fixed in version 2.11.8.1-5+lenny1. For the unstable distribution (sid), these problems have been fixed in version 3.1.3.1-1. We recommend that you upgrade your phpmyadmin package.

Source

Debian Security Advisory

DSA-1824-1 phpmyadmin -- several vulnerabilities

Date Reported:
25 Jun 2009
Affected Packages:
phpmyadmin
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2009-1150, CVE-2009-1151.
More information:

Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2009-1150

    Cross site scripting vulnerability in the export page allow for an attacker that can place crafted cookies with the user to inject arbitrary web script or HTML.

  • CVE-2009-1151

    Static code injection allows for a remote attacker to inject arbitrary code into phpMyAdmin via the setup.php script. This script is in Debian under normal circumstances protected via Apache authentication. However, because of a recent worm based on this exploit, we are patching it regardless, to also protect installations that somehow still expose the setup.php script.

For the old stable distribution (etch), these problems have been fixed in version 2.9.1.1-11.

For the stable distribution (lenny), these problems have been fixed in version 2.11.8.1-5+lenny1.

For the unstable distribution (sid), these problems have been fixed in version 3.1.3.1-1.

We recommend that you upgrade your phpmyadmin package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11.diff.gz
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1.orig.tar.gz
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11.dsc
Architecture-independent component:
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian GNU/Linux 5.0 (lenny)

Source:
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1.orig.tar.gz
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1.diff.gz
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1.dsc
Architecture-independent component:
http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started