Debian Security Advisory
DSA-1207-2 phpmyadmin -- several vulnerabilities
- Date Reported:
- 09 Nov 2006
- Affected Packages:
- phpmyadmin
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 339437, Bug 340438, Bug 362567, Bug 368082, Bug 391090.
In Mitre's CVE dictionary: CVE-2006-1678, CVE-2006-2418, CVE-2005-3621, CVE-2005-3665, CVE-2006-5116. - More information:
-
The phpmyadmin update in DSA 1207 introduced a regression. This update corrects this flaw. For completeness, please find below the original advisory text:
Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2005-3621
CRLF injection vulnerability allows remote attackers to conduct HTTP response splitting attacks.
- CVE-2005-3665
Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation.
- CVE-2006-1678
Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via scripts in the themes directory.
- CVE-2006-2418
A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the db parameter of footer.inc.php.
- CVE-2006-5116
A remote attacker could overwrite internal variables through the _FILES global variable.
For the stable distribution (sarge) these problems have been fixed in version 2.6.2-3sarge3.
For the upcoming stable release (etch) and unstable distribution (sid) these problems have been fixed in version 2.9.0.3-1.
We recommend that you upgrade your phpmyadmin package.
- CVE-2005-3621
- Fixed in:
-
Debian GNU/Linux 3.1 (sarge)
- Source:
- http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3.dsc
- http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3.diff.gz
- http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.6.2-3sarge3_all.deb
MD5 checksums of the listed files are available in the original advisory.
MD5 checksums of the listed files are available in the revised advisory.