Korean

<< Back VID 22670 Severity 30 Port 80, ... Protocol TCP Class CGI Detailed Description The phpMyAdmin package, according to its version number, has multiple vulnerabilities. The remote host contains a version of phpMyAdmin - 3.3.x less than 3.3.10.2 or 3.4.x less than 3.4.3.1 - that is affected by multiple vulnerabilities: - An error in the file 'libraries/auth/swekey/swekey.auth.lib.php' allows an attacker to modify the 'SESSION' superglobal array. (CVE-2011-2505) - An error in the file 'setup/lib/ConfigGenerator.class.php' does not properly handle PHP comment-closing delimiters. This can allow an attacker inject static code via a modified 'SESSION' superglobal array. (CVE-2011-2506) - An error in the file 'libraries/server_synchronize.lib.php' does not properly call the 'preg_replace' function. This can allow an attacker to execute arbitrary code via a modified 'SESSION' superglobal array. (CVE-2011-2507) - An local file inclusion error exists in the 'PMA_displayTableBody' function in the file 'libraries/display_tbl.lib.php' that can allow an attacker to obtain sensitive information or execute code in file already present on the host. (CVE-2011-2508) * Note: This check solely relied on the version number of the remote phpMyAdmin software to assess this vulnerability, so this might be a false positive. * References: http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php * Platforms Affected: phpMyAdmin prior to 3.3.10.2 phpMyAdmin prior to 3.4.3.1 Any operating system Any version Recommendation Upgrade to the latest version of phpMyAdmin (3.3.10.2 or 3.4.3.1 or later), available from the phpMyAdmin Download Web page at http://www.phpmyadmin.net/home_page/downloads.php Related URL CVE-2011-2505,CVE-2011-2506,CVE-2011-2507,CVE-2011-2508 (CVE) Related URL 48563 (SecurityFocus) Related URL (ISS)