[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110804062931.GC9862@foo.fgeek.fi>
Date: Thu, 4 Aug 2011 09:29:31 +0300
From: Henri Salo <henri@...v.fi>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: phpMyAdmin 3.x Conditional Session
Manipulation
On Sun, Jul 24, 2011 at 06:10:00PM +0200, Mango wrote:
> ###############################################################################
>
> phpMyAdmin 3.x Conditional Session Manipulation
>
> ###############################[ Advisory from ]###############################
>
> #########¨¨########¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨##¨¨¨¨¨#########.¨¨¨
> ¨¨'####:¨¨¨¨:###'¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨:##:¨¨¨¨¨'###¨¨'###.¨
> ¨¨¨¨'###.¨¨.##'¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨####¨¨¨¨¨¨###¨¨¨¨###¨
> ¨¨¨¨¨'###..##'¨¨¨######¨¨#####¨¨.#####.¨¨¨..#¨¨¨___¨¨¨¨¨¨:#'##:¨¨¨¨¨###¨¨¨¨###¨
> ¨¨¨¨¨¨'#####'¨¨¨¨¨'###:¨¨:##'¨.##''¨''##.####¨######.¨¨¨¨#'¨¨##¨¨¨¨¨###¨¨¨.###¨
> ¨¨¨¨¨¨¨'###:¨¨¨¨¨¨¨¨'##..#'¨¨.##'¨¨¨¨¨'##.¨###''¨'##'¨¨¨:#¨¨¨##:¨¨¨¨########:¨¨
> ¨¨¨¨¨¨¨.####.¨¨¨¨¨¨¨¨'###'¨¨¨###¨¨¨¨¨¨¨###¨##¨¨¨¨¨¨¨¨¨¨¨#'¨¨¨:##¨¨¨¨###¨¨¨'###.
> ¨¨¨¨¨¨.##'###.¨¨¨¨¨¨¨¨.##.¨¨¨###¨¨¨¨¨¨¨###¨##¨¨¨¨¨¨¨¨¨¨:########:¨¨¨###¨¨¨¨'###
> ¨¨¨¨¨.##'¨'###.¨¨¨¨¨¨.#'##.¨¨###¨¨¨¨¨¨¨###¨##¨¨¨¨¨¨¨¨¨¨#'¨¨¨¨¨:##¨¨¨###¨¨¨¨¨###
> ¨¨¨¨.##'¨¨¨'###.¨¨¨¨.#'¨'##.¨'##¨¨¨¨¨¨.##'¨##¨¨¨¨¨¨¨¨¨:#¨¨¨¨¨¨¨##:¨¨###¨¨¨¨.###
> ¨¨.###:¨¨¨¨¨:####..##:¨¨¨:###.'##..¨..##'¨.##.¨¨¨¨¨¨¨.##.¨¨¨¨¨.###..###.¨¨.###'
> ########¨¨¨############¨#######''#####''¨#######¨¨¨#######¨¨¨###############'¨¨
>
> ################################[ www.Xxor.se ]################################
>
> Application: phpMyAdmin 3.x
> Patched ver: 3.3.10.3 and 3.4.3.2
> Severity: Low
> Exploitable: Remote
> PMASA ID: PMASA-2011-12
>
>
> ################################[ Description ]################################
>
> If the Swekey extention is activated a remote attacker can manipulate the
> variables in the the global namespace.
>
>
> ####################################[ Fix ]####################################
>
> Upgrade to version 3.3.10.3 or 3.4.3.2.
> Or apply patches available at: http://www.phpmyadmin.net/home_page/security/
>
>
> #################################[ Timeline ]##################################
>
> 2011-07-07 - Reported to vendor
> 2011-07-23 - Patch available
> 2011-07-24 - Disclosed
This issue can be refered as CVE-2011-2719.
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists