FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpmyadmin -- multiple vulnerabilities

Affected packages
phpMyAdmin < 3.4.3.2

Details

VuXML ID d79fc873-b5f9-11e0-89b4-001ec9578670
Discovery 2011-07-23
Entry 2011-07-24
Modified 2011-07-28

The phpMyAdmin development team reports:

XSS in table Print view.

Via a crafted MIME-type transformation parameter, an attacker can perform a local file inclusion.

In the 'relational schema' code a parameter was not sanitized before being used to concatenate a class name.

The end result is a local file inclusion vulnerability and code execution.

It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code.

This is very similar to PMASA-2011-5, documented in 7e4e5c53-a56c-11e0-b180-00216aa06fc2

References

CVE Name CVE-2011-2642
CVE Name CVE-2011-2643
URL http://www.phpmyadmin.net/home_page/security/PMASA-2011-10.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php
URL http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php