icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

phpMyAdmin 3.5.x < 3.5.8.1 / 4.x < 4.0.0-rc3 Multiple Vulnerabilities

Medium

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

Versions of phpMyAdmin 3.5.x prior to 3.5.8.1, or 4.x prior to 4.0.0-rc3 are affected by multiple vulnerabilities :

- A flaw exists in 'preg_replace' method as it fails to properly sanitize arguments, which can be used to for arbitrary code execution. (CVE-2013-3238) - A security weakness exists in the way that locally saved databases are handled. It is possible that the 'filename_template' parameter can be used to create a file with double extensions. (CVE-2013-3239) - A flaw exists where the 'what' parameter is not correctly validated, allowing for a local file inclusion. This flaw reportedly affects phpMyAdmin 4.x only. (CVE-2013-3240) - A flaw exists in the 'export.php' script that allows overwrite of global variables, leading to an unauthorized access vulnerability. This flaw reportedly affects phpMyAdmin 4.x only. (CVE-2013-3241)

Solution

Either upgrade to phpMyAdmin 3.5.8.1 / 4.0.0-rc3 or later, or apply the patches from the referenced link.