Debian Security Advisory

DSA-2097-1 phpmyadmin -- insufficient input sanitising

Date Reported:
29 Aug 2010
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2010-3055, CVE-2010-3056.
More information:

Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2010-3055

    The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default.

  • CVE-2010-3056

    Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML.

For the stable distribution (lenny), these problems have been fixed in version

For the testing (squeeze) and unstable distribution (sid), these problems have been fixed in version

We recommend that you upgrade your phpmyadmin package.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:

MD5 checksums of the listed files are available in the original advisory.