Test Kennung:	1.3.6.1.4.1.25623.1.0.69995
Kategorie:	FreeBSD Local Security Checks
Titel:	FreeBSD Ports: phpmyadmin
Zusammenfassung:	The remote host is missing an update to the system; as announced in the referenced advisory.
Beschreibung:	Summary: The remote host is missing an update to the system as announced in the referenced advisory. Vulnerability Insight: The following package is affected: phpmyadmin CVE-2011-2505 libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a 'remote variable manipulation vulnerability.' CVE-2011-2506 setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array. CVE-2011-2507 libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array. CVE-2011-2508 Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][$meta->name][transformation] parameter. Solution: Update your system with the appropriate patches or software upgrades. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2011-2505 Bugtraq: 20110707 phpMyAdmin 3.x Multiple Remote Code Executions (Google Search) http://www.securityfocus.com/archive/1/518804/100/0/threaded Debian Security Information: DSA-2286 (Google Search) http://www.debian.org/security/2011/dsa-2286 http://www.exploit-db.com/exploits/17514/ http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html http://www.mandriva.com/security/advisories?name=MDVSA-2011:124 http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt http://www.openwall.com/lists/oss-security/2011/06/28/2 http://www.openwall.com/lists/oss-security/2011/06/28/6 http://www.openwall.com/lists/oss-security/2011/06/28/8 http://www.openwall.com/lists/oss-security/2011/06/29/11 http://www.osvdb.org/73611 http://secunia.com/advisories/45139 http://secunia.com/advisories/45292 http://secunia.com/advisories/45315 http://securityreason.com/securityalert/8306 Common Vulnerability Exposure (CVE) ID: CVE-2011-2506 http://www.osvdb.org/73612 Common Vulnerability Exposure (CVE) ID: CVE-2011-2507 http://0x6a616d6573.blogspot.com/2011/07/phpmyadmin-fud.html http://ha.xxor.se/2011/07/phpmyadmin-3x-pregreplace-rce-poc.html http://www.osvdb.org/73613 Common Vulnerability Exposure (CVE) ID: CVE-2011-2508 http://www.osvdb.org/73614
Copyright	Copyright (C) 2011 E-Soft Inc.

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.