Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable.

This is a version upgrade to phpMyAdmin 2.11.9.4 to fix various security bugs. (CVE-2008-2960, CVE-2008-3197, CVE-2008-1149, CVE-2008-1567, CVE-2008-1924, CVE-2008-4096, CVE-2008-4326, CVE-2008-5621, CVE-2008-5622)

This update of phpMyAdmin fixes the following bugs :

  - CVE-2008-1149: SQL injection, CSRF attacks using crafted     cookies

  - CVE-2008-1567: local users can steal session     information/credentials

  - CVE-2008-1924: in a shared host environment users with     CREAT permissions can read arbitrary files

  - CVE-2008-3456: cross-site framing attack

  - CVE-2008-3457: user-assisted XSS attack

The remote host is affected by the vulnerability described in GLSA-200805-02 (phpMyAdmin: Information disclosure)

    Cezary Tomczak reported that an undefined UploadDir variable exposes an     information disclosure vulnerability when running on shared hosts.
  Impact :

    A remote attacker with CREATE TABLE permissions can exploit this     vulnerability via a specially crafted HTTP POST request in order to     read arbitrary files.
  Workaround :

    There is no known workaround at this time.

A phpMyAdmin security announcement report :

It is possible to read the contents of any file that the web server's user can access. The exact mechanism to achieve this won't be disclosed. If a user can upload on the same host where phpMyAdmin is running a PHP script that can read files with the rights of the web server's user, the current advisory does not describe an additional threat.

Several remote vulnerabilities have been discovered in phpMyAdmin, an application to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-1924     Attackers with CREATE table permissions were allowed to     read arbitrary files readable by the webserver via a     crafted HTTP POST request.

  - CVE-2008-1567     The PHP session data file stored the username and     password of a logged in user, which in some setups can     be read by a local user.

  - CVE-2008-1149     Cross site scripting and SQL injection were possible by     attackers that had permission to create cookies in the     same cookie domain as phpMyAdmin runs in.

ID	Name	Product	Family	Severity
40107	openSUSE Security Update : phpMyAdmin (phpMyAdmin-442)	Nessus	SuSE Local Security Checks	high
35449	openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5935)	Nessus	SuSE Local Security Checks	high
34813	openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5781)	Nessus	SuSE Local Security Checks	medium
32150	GLSA-200805-02 : phpMyAdmin: Information disclosure	Nessus	Gentoo Local Security Checks	low
32072	FreeBSD : phpmyadmin -- Shared Host Information Disclosure (fe971a0f-1246-11dd-bab7-0016179b2dd5)	Nessus	FreeBSD Local Security Checks	low
32058	Debian DSA-1557-1 : phpmyadmin - insufficient input sanitising	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2008-1924

medium

Tenable Plugins

high

high

medium

low

low

medium