 |
Startseite ▼ Bookkeeping
Online ▼ Sicherheits
Überprüfungs ▼
Verwaltetes
DNS ▼
Info
Bestellen/Erneuern
FAQ
AUP
Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password Netzwerk
Überwachung ▼
Enterprise
Erweiterte
Standard
Gratis Test
FAQ
Preis/Funktionszusammenfassung
Bestellen
Beispiele
Konfigurieren/Status Alarm Profile | ||
| Test Kennung: | 1.3.6.1.4.1.25623.1.1.10.2013.0238 |
| Kategorie: | Mageia Linux Local Security Checks |
| Titel: | Mageia: Security Advisory (MGASA-2013-0238) |
| Zusammenfassung: | The remote host is missing an update for the 'phpmyadmin' package(s) announced via the MGASA-2013-0238 advisory. |
| Beschreibung: | Summary: The remote host is missing an update for the 'phpmyadmin' package(s) announced via the MGASA-2013-0238 advisory. Vulnerability Insight: Using a crafted SQL query, it was possible to produce an XSS on the SQL query form (PMASA-2013-8)(CVE-2013-4995). In the setup/index.php, using a crafted # hash with a Javascript event, untrusted JS code could be executed. In the Display chart view, a chart title containing HTML code was rendered unescaped, leading to possible JavaScript code execution via events. A malicious user with permission to create databases or users having HTML tags in their name, could trigger an XSS vulnerability by issuing a sleep query with a long delay. In the server status monitor, the query parameters were shown unescaped. By configuring a malicious URL for the phpMyAdmin logo link in the navigation sidebar, untrusted script code could be executed when a user clicked the logo. The setup field for 'List of trusted proxies for IP allow/deny' Ajax validation code returned the unescaped input on errors, leading to possible JavaScript execution by entering arbitrary HTML (PMASA-2013-9). Also, due to not properly validating the version.json file, which is fetched from the phpMyAdmin.net website, could lead to an XSS attack, if a crafted version.json file would be presented (PMASA-2013-11). (CVE-2013-4996, CVE-2013-4997) By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed (PMASA-2013-12)(CVE-2013-4998, CVE-2013-5000) When calling schema_export.php with crafted parameters, it is possible to trigger an XSS (PMASA-2013-14)(CVE-2013-5002). Due to a missing validation of parameters passed to schema_export.php and pmd_pdf.php, it was possible to inject SQL statements that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database (PMASA-2013-15)(CVE-2013-5003). Affected Software/OS: 'phpmyadmin' package(s) on Mageia 2, Mageia 3. Solution: Please install the updated package(s). CVSS Score: 6.5 CVSS Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P |
| Querverweis: |
Common Vulnerability Exposure (CVE) ID: CVE-2013-4995 BugTraq ID: 61510 http://www.securityfocus.com/bid/61510 http://secunia.com/advisories/59832 Common Vulnerability Exposure (CVE) ID: CVE-2013-4996 BugTraq ID: 61921 http://www.securityfocus.com/bid/61921 Common Vulnerability Exposure (CVE) ID: CVE-2013-4997 Common Vulnerability Exposure (CVE) ID: CVE-2013-4998 Common Vulnerability Exposure (CVE) ID: CVE-2013-5000 Common Vulnerability Exposure (CVE) ID: CVE-2013-5002 BugTraq ID: 61516 http://www.securityfocus.com/bid/61516 Common Vulnerability Exposure (CVE) ID: CVE-2013-5003 BugTraq ID: 61923 http://www.securityfocus.com/bid/61923 |
| Copyright | Copyright (C) 2022 Greenbone AG |
| Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten. |