lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4F06E50C.6050209@binarysignals.net>
Date: Fri, 06 Jan 2012 13:11:56 +0100
From: Ingo Schmitt <ingo.schmitt@...arysignals.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [ GLSA 201201-01 ] phpMyAdmin: Multiple
	vulnerabilities

Hi, does an attacker need to be logged on with an valid account to PMA
in order to explode this issues?

Thx,
Ingo
 
On 01/05/12 00:53, Tim Sammut wrote:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory                           GLSA 201201-01
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>                                             http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>  Severity: High
>     Title: phpMyAdmin: Multiple vulnerabilities
>      Date: January 04, 2012
>      Bugs: #302745, #335490, #336462, #354227, #373951, #376369,
>            #387413, #389427, #395715
>        ID: 201201-01
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Synopsis
> ========
>
> Multiple vulnerabilities were found in phpMyAdmin, the most severe of
> which allows the execution of arbitrary PHP code.
>
> Background
> ==========
>
> phpMyAdmin is a web-based management tool for MySQL databases.
>
> Affected packages
> =================
>
>     -------------------------------------------------------------------
>      Package              /     Vulnerable     /            Unaffected
>     -------------------------------------------------------------------
>   1  dev-db/phpmyadmin            < 3.4.9                    >= 3.4.9
>
> Description
> ===========
>
> Multiple vulnerabilities have been discovered in phpMyAdmin. Please
> review the CVE identifiers and phpMyAdmin Security Advisories
> referenced below for details.
>
> Impact
> ======
>
> Remote attackers might be able to insert and execute PHP code, include
> and execute local PHP files, or perform Cross-Site Scripting (XSS)
> attacks via various vectors.
>
> Workaround
> ==========
>
> There is no known workaround at this time.
>
> Resolution
> ==========
>
> All phpMyAdmin users should upgrade to the latest version:
>
>   # emerge --sync
>   # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-3.4.9"
>
> References
> ==========
>
> [  1 ] CVE-2008-7251
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7251
> [  2 ] CVE-2008-7252
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7252
> [  3 ] CVE-2010-2958
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2958
> [  4 ] CVE-2010-3055
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3055
> [  5 ] CVE-2010-3056
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3056
> [  6 ] CVE-2010-3263
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3263
> [  7 ] CVE-2011-0986
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0986
> [  8 ] CVE-2011-0987
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0987
> [  9 ] CVE-2011-2505
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2505
> [ 10 ] CVE-2011-2506
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2506
> [ 11 ] CVE-2011-2507
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2507
> [ 12 ] CVE-2011-2508
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2508
> [ 13 ] CVE-2011-2642
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2642
> [ 14 ] CVE-2011-2643
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2643
> [ 15 ] CVE-2011-2718
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2718
> [ 16 ] CVE-2011-2719
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2719
> [ 17 ] CVE-2011-3646
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646
> [ 18 ] CVE-2011-4064
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064
> [ 19 ] CVE-2011-4107
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107
> [ 20 ] CVE-2011-4634
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634
> [ 21 ] CVE-2011-4780
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4780
> [ 22 ] CVE-2011-4782
>        http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4782
> [ 23 ] PMASA-2010-1
>        http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php
> [ 24 ] PMASA-2010-2
>        http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php
> [ 25 ] PMASA-2010-4
>        http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php
> [ 26 ] PMASA-2010-5
>        http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
> [ 27 ] PMASA-2010-6
>        http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php
> [ 28 ] PMASA-2010-7
>        http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php
> [ 29 ] PMASA-2011-1
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php
> [ 30 ] PMASA-2011-10
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php
> [ 31 ] PMASA-2011-11
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php
> [ 32 ] PMASA-2011-12
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php
> [ 33 ] PMASA-2011-15
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php
> [ 34 ] PMASA-2011-16
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
> [ 35 ] PMASA-2011-17
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
> [ 36 ] PMASA-2011-18
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php
> [ 37 ] PMASA-2011-19
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php
> [ 38 ] PMASA-2011-2
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php
> [ 39 ] PMASA-2011-20
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php
> [ 40 ] PMASA-2011-5
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php
> [ 41 ] PMASA-2011-6
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php
> [ 42 ] PMASA-2011-7
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php
> [ 43 ] PMASA-2011-8
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php
> [ 44 ] PMASA-2011-9
>        http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
>  http://security.gentoo.org/glsa/glsa-201201-01.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users' machines is of utmost
> importance to us. Any security concerns should be addressed to
> security@...too.org or alternatively, you may file a bug at
> https://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2012 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
>
> http://creativecommons.org/licenses/by-sa/2.5
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ