Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

phpMyAdmin 3.3.x < 3.3.10.2 / 3.4.x < 3.4.3.1 Multiple Vulnerabilities

Medium

Synopsis

The remote web server contains a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of phpMyAdmin 3.3.x earlier than 3.3.10.2 and 3.4.x earlier than 3.4.3.1 are potentially affected by multiple vulnerabilities :

- It is possible to manipulate the PHP session superglobal usig some of the Swekey authentication code. (PMASA-2011-5)

- An unsanitized key from the Servers array is written in a comment of the generated config, which could allow an attacker to close the comment and inject code. (PMASA-2011-6)

- It is possible to use a null byte to truncate the pattern string which would allow an attacker to inject the /e modifier causing the pre_replace function to execute its second argument as PHP code. (PMASA-2011-7)

- An issue exists in the MIME-type transformation code, which allows for directory traversal. (PMASA-2011-8)

Solution

Upgrade to phpMyAdmin 3.3.10.2, 3.4.3.1, or later.