Debian Security Advisory
DSA-1693-2 phppgadmin -- several vulnerabilities
- Date Reported:
- 27 Dec 2008
- Affected Packages:
- phppgadmin
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 427151, Bug 449103, Bug 508026.
In Mitre's CVE dictionary: CVE-2007-2865, CVE-2007-5728, CVE-2008-5587. - More information:
-
Several remote vulnerabilities have been discovered in phpPgAdmin, a tool to administrate PostgreSQL database over the web. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2007-2865
Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via the server parameter.
- CVE-2007-5728
Cross-site scripting vulnerability allows remote attackers to inject arbitrary web script or HTML via PHP_SELF.
- CVE-2008-5587
Directory traversal vulnerability allows remote attackers to read arbitrary files via _language parameter.
For the stable distribution (etch), these problems have been fixed in version 4.0.1-3.1etch2.
For the unstable distribution (sid), these problems have been fixed in version 4.2.1-1.1.
We recommend that you upgrade your phppgadmin package.
- CVE-2007-2865
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/p/phppgadmin/phppgadmin_4.0.1.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/phppgadmin/phppgadmin_4.0.1-3.1etch2.dsc
- http://security.debian.org/pool/updates/main/p/phppgadmin/phppgadmin_4.0.1-3.1etch2.diff.gz
- http://security.debian.org/pool/updates/main/p/phppgadmin/phppgadmin_4.0.1-3.1etch2.dsc
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/p/phppgadmin/phppgadmin_4.0.1-3.1etch2_all.deb
MD5 checksums of the listed files are available in the original advisory.