Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.6.4-pl3 allow remote attackers to inject arbitrary web script or HTML via certain arguments to (1) left.php, (2) queryframe.php, or (3) server_databases.php.

Several cross-site scripting vulnerabilities have been discovered in phpmyadmin, a set of PHP-scripts to administrate MySQL over the WWW.
The Common Vulnerabilities and Exposures project identifies the following problems :

  - CAN-2005-2869     Andreas Kerber and Michal Cihar discovered several     cross-site scripting vulnerabilities in the error page     and in the cookie login.

  - CVE-2005-3300     Stefan Esser discovered missing safety checks in     grab_globals.php that could allow an attacker to induce     phpmyadmin to include an arbitrary local file.

  - CVE-2005-3301     Tobias Klein discovered several cross-site scripting     vulnerabilities that could allow attackers to inject     arbitrary HTML or client-side scripting.

The version in the old stable distribution (woody) has probably its own flaws and is not easily fixable without a full audit and patch session. The easier way is to upgrade it from woody to sarge.

The remote host is running a version of Mac OS X 10.4 that is older than version 10.4.8.  Mac OS X 10.4.8 contains several security fixes for the following programs :
 - CFNetwork
 - Flash Player
 - ImageIO
 - Kernel
 - LoginWindow
 - Preferences
 - QuickDraw Manager
 - SASL
 - WebCore
 - Workgroup Manager

The remote host is affected by the vulnerability described in GLSA-200510-21 (phpMyAdmin: Local file inclusion and XSS vulnerabilities)

    Stefan Esser discovered that by calling certain PHP files directly, it     was possible to workaround the grab_globals.lib.php security model and     overwrite the $cfg configuration array. Systems running PHP in safe     mode are not affected. Futhermore, Tobias Klein reported several     cross-site-scripting issues resulting from insufficient user input     sanitizing.
  Impact :

    A local attacker may exploit this vulnerability by sending malicious     requests, causing the execution of arbitrary code with the rights of     the user running the web server. Furthermore, the cross-site scripting     issues give a remote attacker the ability to inject and execute     malicious script code or to steal cookie-based authentication     credentials, potentially compromising the victim's browser.
  Workaround :

    There is no known workaround for all those issues at this time.

The version of phpMyAdmin installed on the remote host is affected by a local file inclusion vulnerability that can be exploited by an unauthenticated attacker to read arbitrary files, and possibly even to execute arbitrary PHP code on the affected host subject to the permissions of the web server user id.

In addition, the application fails to sanitize user-supplied input to the 'hash' parameter in the 'left.php' and 'queryframe.php' scripts as well as the 'sort_order' and 'sort_by' parameters in the 'server_databases.php' script before using it to generate dynamic HTML, which can lead to cross-site scripting attacks against the affected application.

Versions of phpMyAdmin prior to 2.6.4-pl3 contain a flaw that allows attackers to read arbitrary files because of its failure to sanitize the parameter 'usesubform' before using it in several scripts.

ID	Name	Product	Family	Severity
22746	Debian DSA-880-1 : phpmyadmin - several vulnerabilities	Nessus	Debian Local Security Checks	medium
3757	Mac OS X < 10.4.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
20103	GLSA-200510-21 : phpMyAdmin: Local file inclusion and XSS vulnerabilities	Nessus	Gentoo Local Security Checks	medium
20088	phpMyAdmin < 2.6.4-pl3 Multiple Vulnerabilities	Nessus	CGI abuses	medium
3252	phpMyAdmin < 2.6.4-pl3 'usesubform' Parameter Remote File Inclusion	Nessus Network Monitor	CGI	medium

Detections

Analytics

CVE-2005-3301

medium

Tenable Plugins

medium

medium

medium

medium

medium