Hi, does an attacker need to be logged on with an valid account to PMA in order to explode this issues?
Thx, Ingo On 01/05/12 00:53, Tim Sammut wrote: > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Gentoo Linux Security Advisory GLSA 201201-01 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > http://security.gentoo.org/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Severity: High > Title: phpMyAdmin: Multiple vulnerabilities > Date: January 04, 2012 > Bugs: #302745, #335490, #336462, #354227, #373951, #376369, > #387413, #389427, #395715 > ID: 201201-01 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Synopsis > ======== > > Multiple vulnerabilities were found in phpMyAdmin, the most severe of > which allows the execution of arbitrary PHP code. > > Background > ========== > > phpMyAdmin is a web-based management tool for MySQL databases. > > Affected packages > ================= > > ------------------------------------------------------------------- > Package / Vulnerable / Unaffected > ------------------------------------------------------------------- > 1 dev-db/phpmyadmin < 3.4.9 >= 3.4.9 > > Description > =========== > > Multiple vulnerabilities have been discovered in phpMyAdmin. Please > review the CVE identifiers and phpMyAdmin Security Advisories > referenced below for details. > > Impact > ====== > > Remote attackers might be able to insert and execute PHP code, include > and execute local PHP files, or perform Cross-Site Scripting (XSS) > attacks via various vectors. > > Workaround > ========== > > There is no known workaround at this time. > > Resolution > ========== > > All phpMyAdmin users should upgrade to the latest version: > > # emerge --sync > # emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-3.4.9" > > References > ========== > > [ 1 ] CVE-2008-7251 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7251 > [ 2 ] CVE-2008-7252 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7252 > [ 3 ] CVE-2010-2958 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2958 > [ 4 ] CVE-2010-3055 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3055 > [ 5 ] CVE-2010-3056 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3056 > [ 6 ] CVE-2010-3263 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3263 > [ 7 ] CVE-2011-0986 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0986 > [ 8 ] CVE-2011-0987 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0987 > [ 9 ] CVE-2011-2505 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2505 > [ 10 ] CVE-2011-2506 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2506 > [ 11 ] CVE-2011-2507 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2507 > [ 12 ] CVE-2011-2508 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2508 > [ 13 ] CVE-2011-2642 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2642 > [ 14 ] CVE-2011-2643 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2643 > [ 15 ] CVE-2011-2718 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2718 > [ 16 ] CVE-2011-2719 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2719 > [ 17 ] CVE-2011-3646 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646 > [ 18 ] CVE-2011-4064 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064 > [ 19 ] CVE-2011-4107 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107 > [ 20 ] CVE-2011-4634 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634 > [ 21 ] CVE-2011-4780 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4780 > [ 22 ] CVE-2011-4782 > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4782 > [ 23 ] PMASA-2010-1 > http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php > [ 24 ] PMASA-2010-2 > http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php > [ 25 ] PMASA-2010-4 > http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php > [ 26 ] PMASA-2010-5 > http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php > [ 27 ] PMASA-2010-6 > http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php > [ 28 ] PMASA-2010-7 > http://www.phpmyadmin.net/home_page/security/PMASA-2010-7.php > [ 29 ] PMASA-2011-1 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php > [ 30 ] PMASA-2011-10 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php > [ 31 ] PMASA-2011-11 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php > [ 32 ] PMASA-2011-12 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php > [ 33 ] PMASA-2011-15 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php > [ 34 ] PMASA-2011-16 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php > [ 35 ] PMASA-2011-17 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php > [ 36 ] PMASA-2011-18 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php > [ 37 ] PMASA-2011-19 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php > [ 38 ] PMASA-2011-2 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php > [ 39 ] PMASA-2011-20 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php > [ 40 ] PMASA-2011-5 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php > [ 41 ] PMASA-2011-6 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php > [ 42 ] PMASA-2011-7 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php > [ 43 ] PMASA-2011-8 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php > [ 44 ] PMASA-2011-9 > http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php > > Availability > ============ > > This GLSA and any updates to it are available for viewing at > the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-201201-01.xml > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and ensuring the > confidentiality and security of our users' machines is of utmost > importance to us. Any security concerns should be addressed to > [email protected] or alternatively, you may file a bug at > https://bugs.gentoo.org. > > License > ======= > > Copyright 2012 Gentoo Foundation, Inc; referenced text > belongs to its owner(s). > > The contents of this document are licensed under the > Creative Commons - Attribution / Share Alike license. > > http://creativecommons.org/licenses/by-sa/2.5 > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
