Detections
Analytics

Debian DSA-1403-1 : phpmyadmin - missing input sanitising

medium Nessus Plugin ID 27842

Synopsis

The remote Debian host is missing a security-related update.

Description

Omer Singer of the DigiTrust Group discovered several vulnerabilities in phpMyAdmin, an application to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems :

 - CVE-2007-5589 phpMyAdmin allows a remote attacker to inject arbitrary web script or HTML in the context of a logged in user's session (cross site scripting).

 - CVE-2007-5386 phpMyAdmin, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string.

Solution

Upgrade the phpmyadmin package.

For the old stable distribution (sarge) this problem has been fixed in version 4:2.6.2-3sarge6.

For the stable distribution (etch) this problem has been fixed in version 4:2.9.1.1-6.

See Also

https://security-tracker.debian.org/tracker/CVE-2007-5589

https://security-tracker.debian.org/tracker/CVE-2007-5386

https://www.debian.org/security/2007/dsa-1403

Plugin Details

Severity: Medium

ID: 27842

File Name: debian_DSA-1403.nasl

Version: 1.18

Type: local

Agent: unix

Published: 11/9/2007

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:phpmyadmin, cpe:/o:debian:debian_linux:3.1, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 11/8/2007

Reference Information

CVE: CVE-2007-5386, CVE-2007-5589

CWE: 79

DSA: 1403