phpMyAdmin 4.0.x < 4.0.10.6 / 4.1.x < 4.1.14.7 / 4.2.x < 4.2.12 Multiple Vulnerabilities (PMASA-2014-13 through 16)

Medium Nessus Network Monitor Plugin ID 8583

Synopsis

The remote web server contains a PHP application that is affected by numerous security vulnerabilities as a result of improper user input sanitation among other bugs.

Description

phpMyAdmin is a free and open source tool written in PHP intended to handle the administration of MySQL with the use of a web browser. Versions of phpMyAdmin 4.0.x prior to 4.0.10.6, 4.1.x prior to 4.1.14.7 and 4.2.x prior to 4.2.12 are potentially affected by multiple vulnerabilities :

- Prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input submitted to the table browse page, table print view and zoom search pages, and home page. (PMASA-2014-13)

- It is possible to include an arbitrary file through the GIS editor due to a lack of sanitizing user-supplied input using directory-traversal strings (../). (PMASA-2014-14)

- Prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input submitted to the error_report.lib.php script. (PMASA-2014-15)

- It is possible to obtain the line count of arbitrary files due to failure to sanitize user-supplied input submitted to the filename parameter of the error_report.lib.php script. (PMASA-2014-16)

Solution

Either upgrade to phpMyAdmin 4.0.10.6, 4.1.14.7, 4.2.12 or later, or apply the patches from the referenced links.

See Also

http://www.nessus.org/u?55609062

http://www.nessus.org/u?d3343500

http://www.nessus.org/u?fea68045

http://www.nessus.org/u?945b4a35

Plugin Details

Severity: Medium

ID: 8583

Family: CGI

Published: 2014/11/24

Modified: 2018/09/16

Dependencies: 9102

Nessus ID: 79588, 79599, 79653, 79654, 79777

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.5

Temporal Score: 5.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 6.3

Temporal Score: 5.9

Vector: CVSS3#AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Patch Publication Date: 2014/11/20

Vulnerability Publication Date: 2014/11/19

Reference Information

CVE: CVE-2014-8958, CVE-2014-8959, CVE-2014-8960, CVE-2014-8961

BID: 71247, 71245, 71244, 71243