Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2013:203)

medium Nessus Plugin ID 69154

Synopsis

The remote Mandriva Linux host is missing a security update.

Description

Multiple vulnerabilities has been discovered and corrected in phpmyadmin :

- XSS due to unescaped HTML Output when executing a SQL query (CVE-2013-4995).

- 5 XSS vulnerabilities in setup, chart display, process list, and logo link. If a crafted version.json would be presented, an XSS could be introduced (CVE-2013-4996, CVE-2013-4997).

- Full path disclosure vulnerabilities (CVE-2013-4998, CVE-2013-5000).

- Self-XSS due to unescaped HTML output in schema export (CVE-2013-5002).

- SQL injection vulnerabilities, producing a privilege escalation (control user) (CVE-2013-5003).

This upgrade provides the latest phpmyadmin version (3.5.8.2) to address these vulnerabilities.

Solution

Update the affected phpmyadmin package.

See Also

http://advisories.mageia.org/MGASA-2013-0238.html

http://www.phpmyadmin.net/home_page/security/PMASA-2013-11.php

http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php

http://www.phpmyadmin.net/home_page/security/PMASA-2013-14.php

http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php

http://www.phpmyadmin.net/home_page/security/PMASA-2013-8.php

http://www.phpmyadmin.net/home_page/security/PMASA-2013-9.php

Plugin Details

Severity: Medium

ID: 69154

File Name: mandriva_MDVSA-2013-203.nasl

Version: 1.7

Type: local

Published: 7/31/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:phpmyadmin, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/30/2013

Reference Information

CVE: CVE-2013-4995, CVE-2013-4996, CVE-2013-4997, CVE-2013-4998, CVE-2013-5000, CVE-2013-5002, CVE-2013-5003

BID: 61493, 61510, 61513, 61515, 61516

MDVSA: 2013:203