Published: 17/12/2008 Updated: 29/09/2017

CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8

VMScore: 605

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x prior to 2.11.9.4 and 3.x prior to 3.1.1.0 allows remote malicious users to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other unspecified pages are also reachable, but they have the same root cause. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code.

Vulnerable Product	Search on Vulmon	Subscribe to Product
phpmyadmin phpmyadmin 2.11.1.0
phpmyadmin phpmyadmin 2.11.1.1
phpmyadmin phpmyadmin 2.11.3.0
phpmyadmin phpmyadmin 2.11.4.0
phpmyadmin phpmyadmin 2.11.9.0
phpmyadmin phpmyadmin 2.11.9.1
phpmyadmin phpmyadmin 2.11.0
phpmyadmin phpmyadmin 2.11.2.0
phpmyadmin phpmyadmin 2.11.2.1
phpmyadmin phpmyadmin 2.11.6.0
phpmyadmin phpmyadmin 2.11.7
phpmyadmin phpmyadmin 3.1.0.0
phpmyadmin phpmyadmin 3.0.1
phpmyadmin phpmyadmin 2.11.1.2
phpmyadmin phpmyadmin 2.11.2
phpmyadmin phpmyadmin 2.11.5.0
phpmyadmin phpmyadmin 2.11.5.1
phpmyadmin phpmyadmin 2.11.5.2
phpmyadmin phpmyadmin 2.11.9.2
phpmyadmin phpmyadmin 2.11.9.3
phpmyadmin phpmyadmin 2.11.0.0
phpmyadmin phpmyadmin 2.11.1
phpmyadmin phpmyadmin 2.11.2.2
phpmyadmin phpmyadmin 2.11.3
phpmyadmin phpmyadmin 2.11.7.0
phpmyadmin phpmyadmin 2.11.8
phpmyadmin phpmyadmin 3.0.0

Michael Brooks discovered that phpMyAdmin, a tool to administrate MySQL over the web, performs insufficient input sanitising allowing a user assisted remote attacker to execute code on the webserver For the stable distribution (etch), this problem has been fixed in version 2911-10 For the testing distribution (lenny) and unstable distribution ...

Written by Michael Brooks Special Thanks to str0ke and rGod Intro: phpMyAdmin is by far the most popular PHP project Between phpmyadmin and the xampp project there are more than 34+ million downloads from sourceforgenet This exploit was released along side XSRF attacks against XAMPP and Simple Directory Listing effectively breaking the ...

CWE-352 http://secunia.com/advisories/33146 http://secunia.com/advisories/33076 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php http://www.securityfocus.com/bid/32720 http://securityreason.com/securityalert/4753 http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html http://www.debian.org/security/2009/dsa-1723 http://secunia.com/advisories/33912 http://secunia.com/advisories/33822 http://www.openwall.com/lists/oss-security/2009/02/12/1 http://security.gentoo.org/glsa/glsa-200903-32.xml http://www.vupen.com/english/advisories/2008/3501 http://secunia.com/advisories/33246 http://osvdb.org/50894 http://typo3.org/teams/security/security-bulletins/typo3-20081222-1/http://www.vupen.com/english/advisories/2008/3402 https://exchange.xforce.ibmcloud.com/vulnerabilities/47168 https://www.exploit-db.com/exploits/7382 https://nvd.nist.gov https://www.debian.org/security/./dsa-1723 https://www.exploit-db.com/exploits/7382/

CVE-2008-5621

Vulnerability Summary

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect