Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

phpMyAdmin 4.0.x < 4.0.10.6 / 4.1.x < 4.1.14.7 / 4.2.x < 4.2.12 Multiple Vulnerabilities (PMASA-2014-13 through 16)

Medium

Synopsis

The remote web server contains a PHP application that is affected by numerous security vulnerabilities as a result of improper user input sanitation among other bugs.

Description

phpMyAdmin is a free and open source tool written in PHP intended to handle the administration of MySQL with the use of a web browser. Versions of phpMyAdmin 4.0.x prior to 4.0.10.6, 4.1.x prior to 4.1.14.7 and 4.2.x prior to 4.2.12 are potentially affected by multiple vulnerabilities :

- Prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input submitted to the table browse page, table print view and zoom search pages, and home page. (PMASA-2014-13)

- It is possible to include an arbitrary file through the GIS editor due to a lack of sanitizing user-supplied input using directory-traversal strings (../). (PMASA-2014-14)

- Prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input submitted to the error_report.lib.php script. (PMASA-2014-15)

- It is possible to obtain the line count of arbitrary files due to failure to sanitize user-supplied input submitted to the filename parameter of the error_report.lib.php script. (PMASA-2014-16)

Solution

Either upgrade to phpMyAdmin 4.0.10.6, 4.1.14.7, 4.2.12 or later, or apply the patches from the referenced links.