Debian Security Advisory

DLA-0014-1 phpmyadmin -- LTS security update

Date Reported:
09 Jul 2014
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2013-3239, CVE-2013-4995, CVE-2013-4996, CVE-2013-5003.
More information:

Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2013-3239

    Authenticated users could execute arbitrary code, when a SaveDir directory is configured and Apache HTTP Server has the mod_mime module enabled, by employing double filename extensions.

  • CVE-2013-4995

    Authenticatd users could inject arbitrary web script or HTML via a crafted SQL query.

  • CVE-2013-4996

    Cross site scripting was possible via a crafted logo URL in the navigation panel or a crafted entry in the Trusted Proxy list.

  • CVE-2013-5003

    Authenticated users could execute arbitrary SQL commands as the phpMyAdmin control user via the scale parameter of PMD PDF export.

For Debian 6 Squeeze, these issues have been fixed in phpmyadmin version 4:3.3.7-8