Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

phpMyAdmin < 3.1.3.1 'file_path' Parameter Multiple Vulnerabilities (PMASA-2009-1)

High

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

The version of phpMyAdmin installed on the remote host fails to sanitize user-supplied input to the 'file_path' parameter of the 'bs_disp_as_mime_type.php' script before using it to read a file and reporting it in dynamically generated HTML. An unauthenticated remote attacker may be able to leverage this issue to read arbitrary files, possibly from third-party hosts, or to inject arbitrary HTTP headers in responses sent to third-party users. In addition, the version of phpMyAdmin is reportedly vulnerable to a number of other flaws.

Solution

Upgrade to version 3.1.3.1 or apply the patch referenced in the project's advisory.