phpMyAdmin 4.0.x < 184.108.40.206 / 4.1.x < 220.127.116.11 / 4.2.x < 4.2.6 Multiple Vulnerabilities (PMASA-2014-4 through PMASA-2014-7)
Medium Nessus Network Monitor Plugin ID 8377
SynopsisThe remote web server contains a PHP application that is affected by multiple vulnerabilities.
DescriptionVersions of phpMyAdmin earlier than 18.104.22.168, 22.214.171.124, or 4.2.6 are unpatched for the following vulnerabilities :
- The 'TABLE_COMMENT' parameter input is not being validated in the script 'libraries/structure.lib.php' and could allow cross-site scripting attacks. Note that this issue affects the 4.2.x branch. (CVE-2014-4954)
- The 'trigger' parameter input is not being validated in the script 'libraries/rte/rte_list.lib.php' and could allow cross-site scripting attacks. (CVE-2014-4955)
- The 'table' and 'curr_column_name' parameter inputs are not being validated in the scripts 'js/functions.js' and 'js/tbl_structure.js' respectively and could allow cross-site scripting attacks. (CVE-2014-4986)
- The script 'server_user_groups.php' contains an error that could allow a remote attacker to obtain the MySQL user list and possibly make changes to the application display. Note this issue only affects the 4.1.x and 4.2.x branches. (CVE-2014-4987)
SolutionEither upgrade to phpMyAdmin 126.96.36.199, 188.8.131.52, 4.2.6 or later, or apply the patches from the referenced links.