FreeBSD : phpmyadmin -- insufficient output sanitizing when generating configuration file (1a0e4cc6-29bf-11de-bdeb-0030843d3802)

High Nessus Plugin ID 36167


The remote FreeBSD host is missing a security-related update.


phpMyAdmin Team reports :

Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code.
This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 36167

File Name: freebsd_pkg_1a0e4cc629bf11debdeb0030843d3802.nasl

Version: $Revision: 1.12 $

Type: local

Published: 2009/04/16

Modified: 2015/10/23

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:phpMyAdmin, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2009/04/15

Vulnerability Publication Date: 2009/04/14

Reference Information

CVE: CVE-2009-1285

TRA: TRA-2009-02

CWE: 94