Bug 20132

Summary: phpMyAdmin < 2.6.4-pl3 Multiple Vulnerabilities
Product: ALT Linux Server Reporter: Slava Dubrovskiy <dubrsl>
Component: securityAssignee: Anton V. Boyarshinov <boyarsh>
Status: CLOSED NOTABUG QA Contact: Andrey Cherepanov <cas>
Severity: normal    
Priority: P3 CC: crux, lnkvisitor.ts, lnkvisitor, vvk
Version: snapshot   
Hardware: all   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/security/PMASA-2005-5.php

Description Slava Dubrovskiy 2009-05-21 23:44:53 MSD 
The remote web server contains a PHP application that is prone to several flaws.   Description :  The version of phpMyAdmin installed on the remote host is affected by a local file inclusion vulnerability, which can be exploited by an unauthenticated attacker to read arbitrary files, and possibly even to execute arbitrary PHP code on the affected host subject to the permissions of the web server user id.   In addition, the application fails to sanitize user-supplied input to the 'hash' parameter in the 'left.php' and 'queryframe.php' scripts as well as the 'sort_order' and 'sort_by' parameters in the 'server_databases.php' script before using it to generate dynamic HTML, which can lead to cross-site scripting attacks against the affected application.


http://www.phpmyadmin.net/home_page/security/PMASA-2005-5.php
http://cgi.nessus.org/cve.php3?cve=CVE-2005-3300
http://cgi.nessus.org/cve.php3?cve=CVE-2005-3301

Solution :  Upgrade to phpMyAdmin 2.6.4-pl3 or later.
Comment 1 Vladimir V. Kamarzin 2009-05-22 09:09:25 MSD 
Будет ли майнтэйнер исправлять это в бранчах?
Comment 2 Vladimir Lettiev 2009-05-22 11:16:36 MSD 
Актуальна ли именно эта ошибка? В Server (4.0.1) лежит phpMyAdmin версии 2.10.1. Хотя не спорю, обновлять надо до 2.11.9.5, т.к. там других проблем безопасности навалом.
Comment 3 Kulik Dmitriy 2011-03-23 00:15:32 MSK 
Бага протухла