Detections
Analytics
phpMyAdmin < 3.3.10.1 / 3.4.1 Multiple Vulnerabilities (PMASA-2011-03 - PMASA-2011-04
medium Nessus Plugin ID 55023
Language:
Synopsis
The remote web server contains a PHP application that is affected by multiple vulnerabilities.Description
The remote host contains a version of phpMyAdmin - 3.3.x less than 3.3.10.1 or 3.4.x less than 3.4.1 - that is affected by multiple vulnerabilities:- The scripts 'tbl_links.php' and 'tbl-tracking' fail to filter input to the 'table' and 'db' parameters. An attacker may be able to exploit this issue to inject arbitrary HTML and script code into a user's browser, to be executed within the security context of the affected application, resulting in the theft of session cookies and a compromise of a user's account.
(Issue #2011-03)
- For versions 3.4.x < 3.4.1, the script 'url.php' fails to validate input to the 'url' parameter before redirecting to a specified location. (Issue #2011-04)
Solution
Upgrade to phpMyAdmin version 3.3.10.1 / 3.4.1 or later.See Also
Plugin Details
Severity: Medium
ID: 55023
File Name: phpmyadmin_pmasa_2011_3.nasl
Version: 1.11
Type: remote
Family: CGI abuses
Published: 6/9/2011
Updated: 4/11/2022
Configuration: Enable paranoid mode, Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
Vulnerability Information
CPE: cpe:/a:phpmyadmin:phpmyadmin
Required KB Items: www/PHP, Settings/ParanoidReport, www/phpMyAdmin
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Patch Publication Date: 5/22/2011
Vulnerability Publication Date: 5/22/2011
Reference Information
CVE: CVE-2011-1940, CVE-2011-1941