icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

phpMyAdmin < 2.9.1-rc1 Multiple Vulnerabilities

Medium

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin prior to 2.9.1-rc1 are affected by the following vulnerabilities :

- A series of cross-site request forgery (CSRF) flaws that allow remote attackers to perform unauthorized actions as another user. Specifically, this flaw affects the files 'libraries/common.lib.php', 'session.inc.php', and 'url_generating.lib.php' and is leveraged by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the '_REQUEST' array. (CVE-2006-5116) - Insufficient access control in the phpMyAdmin libraries directory under the web root. Exploiting this flaw would allow a remote attacker to obtain sensitive information via direct requests for certain files. (CVE-2006-5117)

Solution

Upgrade to version 2.9.1-rc1 or higher.