libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.

This is a version upgrade to phpMyAdmin 2.11.9.4 to fix various security bugs. (CVE-2008-2960, CVE-2008-3197, CVE-2008-1149, CVE-2008-1567, CVE-2008-1924, CVE-2008-4096, CVE-2008-4326, CVE-2008-5621, CVE-2008-5622)

The remote host is affected by the vulnerability described in GLSA-200903-32 (phpMyAdmin: Multiple vulnerabilities)

    Multiple vulnerabilities have been reported in phpMyAdmin:
    libraries/database_interface.lib.php in phpMyAdmin allows remote     authenticated users to execute arbitrary code via a request to     server_databases.php with a sort_by parameter containing PHP sequences,     which are processed by create_function (CVE-2008-4096).
    Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows remote     attackers to inject arbitrary web script or HTML via the db parameter,     a different vector than CVE-2006-6942 and CVE-2007-5977     (CVE-2008-4775).
    Cross-site request forgery (CSRF) vulnerability in phpMyAdmin allows     remote authenticated attackers to perform unauthorized actions as the     administrator via a link or IMG tag to tbl_structure.php with a     modified table parameter. NOTE: this can be leveraged to conduct SQL     injection attacks and execute arbitrary code (CVE-2008-5621).
    Multiple cross-site request forgery (CSRF) vulnerabilities in     phpMyAdmin allow remote attackers to conduct SQL injection attacks via     unknown vectors related to the table parameter, a different vector than     CVE-2008-5621 (CVE-2008-5622).
  Impact :

    A remote attacker may execute arbitrary code with the rights of the     webserver, inject and execute SQL with the rights of phpMyAdmin or     conduct XSS attacks against other users.
  Workaround :

    There is no known workaround at this time.

This update by upstream to phpMyAdmin 2.11.9.1 solves a not yet clearly specified code execution vulnerability. - [auth] Links to version number on login screen - [core] PMA does not start if ini_set() is disabled - [bookmarks] Saved queries greater than 1000 chars not displayed - [export] Export type 'replace' does not work - [export] DROP PROCEDURE needs IF EXISTS

  - [export] Numbers in Excel export - [lang] Norwegian     UTF-8 original file remerged - [parser] Undefined     variable seen_from - [security] Code execution     vulnerability

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update by upstream to phpMyAdmin 2.11.9.2 solves a not yet clearly specified XSS in MSIE using NUL byte vulnerability. - [auth] Links to version number on login screen - [core] PMA does not start if ini_set() is disabled

  - [bookmarks] Saved queries greater than 1000 chars not     displayed - [export] Export type 'replace' does not work
    - [export] DROP PROCEDURE needs IF EXISTS

  - [export] Numbers in Excel export - [lang] Norwegian     UTF-8 original file remerged - [parser] Undefined     variable seen_from - [security] Code execution     vulnerability - [security] XSS in MSIE using NUL byte

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administrate MySQL databases over the web. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-4096     Remote authenticated users could execute arbitrary code     on the host running phpMyAdmin through manipulation of a     script parameter.

  - CVE-2008-3457     Cross site scripting through the setup script was     possible in rare circumstances.

  - CVE-2008-3456     Protection has been added against remote websites     loading phpMyAdmin into a frameset.

  - CVE-2008-3197     Cross site request forgery allowed remote attackers to     create a new database, but not perform any other action     on it.

A phpMyAdmin security announcement :

The server_databases.php script was vulnerable to an attack coming from a user who is already logged-on to phpMyAdmin, where he can execute shell code (if the PHP configuration permits commands like exec).

ID	Name	Product	Family	Severity
40107	openSUSE Security Update : phpMyAdmin (phpMyAdmin-442)	Nessus	SuSE Local Security Checks	high
35964	GLSA-200903-32 : phpMyAdmin: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
35449	openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5935)	Nessus	SuSE Local Security Checks	high
34287	Fedora 9 : phpMyAdmin-2.11.9.1-1.fc9 (2008-8370)	Nessus	Fedora Local Security Checks	high
34285	Fedora 9 : phpMyAdmin-2.11.9.2-1.fc9 (2008-8335)	Nessus	Fedora Local Security Checks	high
34283	Fedora 8 : phpMyAdmin-2.11.9.2-1.fc8 (2008-8286)	Nessus	Fedora Local Security Checks	high
34281	Fedora 8 : phpMyAdmin-2.11.9.1-1.fc8 (2008-8269)	Nessus	Fedora Local Security Checks	high
34254	Debian DSA-1641-1 : phpmyadmin - several vulnerabilities	Nessus	Debian Local Security Checks	high
34228	FreeBSD : phpmyadmin -- Code execution vulnerability (74bf1594-8493-11dd-bb64-0030843d3802)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2008-4096

high

Tenable Plugins

high

high

high

high

high

high

high

high

high