Debian Security Advisory
DSA-1207-2 phpmyadmin -- several vulnerabilities
- Date Reported:
- 09 Nov 2006
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 339437, Bug 340438, Bug 362567, Bug 368082, Bug 391090.
In Mitre's CVE dictionary: CVE-2006-1678, CVE-2006-2418, CVE-2005-3621, CVE-2005-3665, CVE-2006-5116.
- More information:
The phpmyadmin update in DSA 1207 introduced a regression. This update corrects this flaw. For completeness, please find below the original advisory text:
Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:
CRLF injection vulnerability allows remote attackers to conduct HTTP response splitting attacks.
Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation.
Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via scripts in the themes directory.
A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the db parameter of footer.inc.php.
A remote attacker could overwrite internal variables through the _FILES global variable.
For the stable distribution (sarge) these problems have been fixed in version 2.6.2-3sarge3.
For the upcoming stable release (etch) and unstable distribution (sid) these problems have been fixed in version 220.127.116.11-1.
We recommend that you upgrade your phpmyadmin package.
- Fixed in:
Debian GNU/Linux 3.1 (sarge)
- Architecture-independent component:
MD5 checksums of the listed files are available in the original advisory.
MD5 checksums of the listed files are available in the revised advisory.