Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-0014-1 phpmyadmin

Debian Security Advisory

DLA-0014-1 phpmyadmin -- LTS security update

Date Reported:

09 Jul 2014

Affected Packages:

phpmyadmin

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-3239, CVE-2013-4995, CVE-2013-4996, CVE-2013-5003.

More information:

Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

• CVE-2013-3239

  Authenticated users could execute arbitrary code, when a SaveDir directory is configured and Apache HTTP Server has the mod_mime module enabled, by employing double filename extensions.

• CVE-2013-4995

  Authenticatd users could inject arbitrary web script or HTML via a crafted SQL query.

• CVE-2013-4996

  Cross site scripting was possible via a crafted logo URL in the navigation panel or a crafted entry in the Trusted Proxy list.

• CVE-2013-5003

  Authenticated users could execute arbitrary SQL commands as the phpMyAdmin control user via the scale parameter of PMD PDF export.

For Debian 6 Squeeze, these issues have been fixed in phpmyadmin version 4:3.3.7-8