| VID |
210124 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpMyAdmin package, according to its version number, has multiple vulnerabilities. The remote host contains a version of phpMyAdmin - 3.3.x less than 3.3.10.1 or 3.4.x less than 3.4.1 - that is affected by multiple vulnerabilities:
- The scripts 'tbl_links.php' and 'tbl-tracking' fail to filter input to the 'table' and 'db' parameters. An attacker may be able to exploit this issue to inject arbitrary HTML and script code into a user's browser, to be executed within the security context of the affected application, resulting in the theft of session cookies and a compromise of a user's account.(Issue #2011-03)
- For versions 3.4.x < 3.4.1, the script 'url.php' fails to validate input to the 'url' parameter before redirecting to a specified location. (Issue #2011-04)
* Note: This check solely relied on the version number of the remote phpMyAdmin software to assess this vulnerability, so this might be a false positive.
* References:
http://www.phpmyadmin.net/home_page/security/PMASA-2011-3.php
http://www.phpmyadmin.net/home_page/security/PMASA-2011-4.php
* Platforms Affected:
phpMyAdmin prior to 3.3.10.1 or 3.4.1
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of phpMyAdmin (3.4.1/3.3.10.1 or later), available from the phpMyAdmin Download Web page at http://www.phpmyadmin.net/home_page/downloads.php |
| Related URL |
CVE-2011-1940,CVE-2011-1941 (CVE) |
| Related URL |
47945,47943 (SecurityFocus) |
| Related URL |
(ISS) |
|
