Debian DSA-2286-1 : phpmyadmin - several vulnerabilities

high Nessus Plugin ID 55708

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in phpMyAdmin, a tool to administrate MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2011-2505 Possible session manipulation in Swekey authentication.

- CVE-2011-2506 Possible code injection in setup script, in case session variables are compromised.

- CVE-2011-2507 Regular expression quoting issue in Synchronize code.

- CVE-2011-2508 Possible directory traversal in MIME-type transformation.

- CVE-2011-2642 Cross site scripting in table Print view when the attacker can create crafted table names.

- No CVE name yet

Possible superglobal and local variables manipulation in Swekey authentication. (PMASA-2011-12)

The oldstable distribution (lenny) is only affected by CVE-2011-2642, which has been fixed in version 2.11.8.1-5+lenny9.

Solution

Upgrade the phpmyadmin packages.

For the stable distribution (squeeze), these problems have been fixed in version 3.3.7-6.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-2508

https://security-tracker.debian.org/tracker/CVE-2011-2642

https://packages.debian.org/source/squeeze/phpmyadmin

https://www.debian.org/security/2011/dsa-2286

https://security-tracker.debian.org/tracker/CVE-2011-2505

https://security-tracker.debian.org/tracker/CVE-2011-2506

https://security-tracker.debian.org/tracker/CVE-2011-2507

Plugin Details

Severity: High

ID: 55708

File Name: debian_DSA-2286.nasl

Version: 1.16

Type: local

Agent: unix

Published: 7/28/2011

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:phpmyadmin, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/26/2011

Vulnerability Publication Date: 7/14/2011

Exploitable With

Elliot (Phpmyadmin 3.x RCE)

Reference Information

CVE: CVE-2011-2505, CVE-2011-2506, CVE-2011-2507, CVE-2011-2508, CVE-2011-2642

BID: 48563, 48874

DSA: 2286