Detections
Analytics

Debian DSA-1207-2 : phpmyadmin - several vulnerabilities

medium Nessus Plugin ID 23656

Synopsis

The remote Debian host is missing a security-related update.

Description

The phpmyadmin update in DSA 1207 introduced a regression. This update corrects this flaw. For completeness, please find below the original advisory text :

 Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems :

 - CVE-2005-3621 CRLF injection vulnerability allows remote attackers to conduct HTTP response splitting attacks.

 - CVE-2005-3665 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation.

 - CVE-2006-1678 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via scripts in the themes directory.

 - CVE-2006-2418 A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the db parameter of footer.inc.php.

 - CVE-2006-5116 A remote attacker could overwrite internal variables through the _FILES global variable.

Solution

Upgrade the phpmyadmin package.

For the stable distribution (sarge) these problems have been fixed in version 2.6.2-3sarge3.

For the upcoming stable release (etch) and unstable distribution (sid) these problems have been fixed in version 2.9.0.3-1.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339437

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340438

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=362567

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=368082

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=391090

https://security-tracker.debian.org/tracker/CVE-2005-3621

https://security-tracker.debian.org/tracker/CVE-2005-3665

https://security-tracker.debian.org/tracker/CVE-2006-1678

https://security-tracker.debian.org/tracker/CVE-2006-2418

https://security-tracker.debian.org/tracker/CVE-2006-5116

http://www.debian.org/security/2006/dsa-1207

Plugin Details

Severity: Medium

ID: 23656

File Name: debian_DSA-1207.nasl

Version: 1.14

Type: local

Agent: unix

Published: 11/20/2006

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:phpmyadmin, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Vulnerability Publication Date: 11/15/2005

Reference Information

CVE: CVE-2005-3621, CVE-2005-3665, CVE-2006-1678, CVE-2006-2418, CVE-2006-5116

DSA: 1207