Debian Security Advisory

DSA-2286-1 phpmyadmin -- several vulnerabilities

Date Reported:
26 Jul 2011
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2011-2505, CVE-2011-2506, CVE-2011-2507, CVE-2011-2508, CVE-2011-2642.
More information:

Several vulnerabilities were discovered in phpMyAdmin, a tool to administrate MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2011-2505

    Possible session manipulation in Swekey authentication.

  • CVE-2011-2506

    Possible code injection in setup script, in case session variables are compromised.

  • CVE-2011-2507

    Regular expression quoting issue in Synchronize code.

  • CVE-2011-2508

    Possible directory traversal in MIME-type transformation.

  • CVE-2011-2642

    Cross site scripting in table Print view when the attacker can create crafted table names.

  • No CVE name yet

    Possible superglobal and local variables manipulation in Swekey authentication. (PMASA-2011-12)

The oldstable distribution (lenny) is only affected by CVE-2011-2642, which has been fixed in version

For the stable distribution (squeeze), these problems have been fixed in version 3.3.7-6.

For the testing distribution (wheezy) and unstable distribution (sid), these problems have been fixed in version

We recommend that you upgrade your phpmyadmin packages.