Vigil@nce: phpMyAdmin: several vulnerabilities
January 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
Three vulnerabilities of phpMyAdmin can be used by an attacker to
alter files or data.
Severity: 2/4
Consequences: data creation/edition
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 3
Creation date: 13/01/2010
IMPACTED PRODUCTS
– Mandriva Corporate
– OpenSUSE
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The phpMyAdmin server is used to administer a MySQL database via a
web browser. It is impacted by three vulnerabilities.
Data are not correctly unserialized, so they can be altered by an
attacker. [grav:2/4; BID-37861, CVE-2009-4605]
Failure of temporary directories creation are not handled in
libraries/File.class.php. [grav:1/4; CVE-2008-7251]
The name of temporary files used in libraries/File.class.php can
be predicted. [grav:2/4; CVE-2008-7252]
CHARACTERISTICS
Identifiers: BID-37826, BID-37861, CVE-2008-7251, CVE-2008-7252,
CVE-2009-4605, MDVSA-2010:018, SUSE-SR:2010:001, VIGILANCE-VUL-9338
http://vigilance.fr/vulnerability/phpMyAdmin-several-vulnerabilities-9338