GLSA-200503-07 : phpMyAdmin: Multiple vulnerabilities

medium Nessus Plugin ID 17263

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200503-07 (phpMyAdmin: Multiple vulnerabilities)

phpMyAdmin contains several security issues:
Maksymilian Arciemowicz has discovered multiple variable injection vulnerabilities that can be exploited through '$cfg' and 'GLOBALS' variables and localized strings It is possible to force phpMyAdmin to disclose information in error messages Failure to correctly escape special characters Impact :

By sending a specially crafted request, an attacker can include and execute arbitrary PHP code or cause path information disclosure.
Furthermore the XSS issue allows an attacker to inject malicious script code, potentially compromising the victim's browser. Lastly the improper escaping of special characters results in unintended privilege settings for MySQL.
Workaround :

There is no known workaround at this time.

Solution

All phpMyAdmin users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/phpmyadmin-2.6.1_p2-r1'

Plugin Details

Severity: Medium

ID: 17263

File Name: gentoo_GLSA-200503-07.nasl

Version: 1.18

Type: local

Family: Gentoo Local Security Checks

Published: 3/4/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.8

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:phpmyadmin, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 3/3/2005

Reference Information

CVE: CVE-2005-0543, CVE-2005-0544, CVE-2005-0653

GLSA: 200503-07

Detections

Analytics