Vulnerabilities > CVE-2006-5116 - Cross-Site Scripting vulnerability in PHPMyAdmin
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php, and (c) url_generating.lib.php. NOTE: the PHP unset function vector is covered by CVE-2006-3017.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SA_2006_071.NASL description The remote host is missing the patch for the advisory SUSE-SA:2006:071 (phpMyAdmin). The phpMyAdmin package was upgraded to version 2.9.1.1. While we usually do not do version upgrades, fixing the occurring security problems of phpMyAdmin got too difficult so we decided to go with the current upstream version. This release includes fixes for the previously not fixed security problems tracked by the Mitre CVE IDs CVE-2006-3388, CVE-2006-5116, CVE-2006-5117, and CVE-2006-5718 and of course all other bugs fixed in 2.9.1.1. last seen 2019-10-28 modified 2007-02-18 plugin id 24448 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24448 title SUSE-SA:2006:071: phpMyAdmin code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # This plugin text was extracted from SuSE Security Advisory SUSE-SA:2006:071 # if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(24448); script_version ("1.9"); name["english"] = "SUSE-SA:2006:071: phpMyAdmin"; script_name(english:name["english"]); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a vendor-supplied security patch" ); script_set_attribute(attribute:"description", value: "The remote host is missing the patch for the advisory SUSE-SA:2006:071 (phpMyAdmin). The phpMyAdmin package was upgraded to version 2.9.1.1. While we usually do not do version upgrades, fixing the occurring security problems of phpMyAdmin got too difficult so we decided to go with the current upstream version. This release includes fixes for the previously not fixed security problems tracked by the Mitre CVE IDs CVE-2006-3388, CVE-2006-5116, CVE-2006-5117, and CVE-2006-5718 and of course all other bugs fixed in 2.9.1.1." ); script_set_attribute(attribute:"solution", value: "http://www.novell.com/linux/security/advisories/2006_71_phpmyadmin.html" ); script_set_attribute(attribute:"risk_factor", value:"High" ); script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/18"); script_end_attributes(); summary["english"] = "Check for the version of the phpMyAdmin package"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); family["english"] = "SuSE Local Security Checks"; script_family(english:family["english"]); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/SuSE/rpm-list"); exit(0); } include("rpm.inc"); if ( rpm_check( reference:"phpMyAdmin-2.9.1.1-2.1", release:"SUSE10.0") ) { security_hole(0); exit(0); } if ( rpm_check( reference:"phpMyAdmin-2.9.1.1-2.1", release:"SUSE9.3") ) { security_hole(0); exit(0); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_19B17AB451E011DBA5AE00508D6A62DF.NASL description phpMyAdmin team reports : We received a security advisory from Stefan Esser ([email protected]) and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link. last seen 2020-06-01 modified 2020-06-02 plugin id 22487 published 2006-10-02 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22487 title FreeBSD : phpmyadmin -- CSRF vulnerabilities (19b17ab4-51e0-11db-a5ae-00508d6a62df) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(22487); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2006-5116", "CVE-2006-5117"); script_bugtraq_id(20253); script_xref(name:"Secunia", value:"22126"); script_name(english:"FreeBSD : phpmyadmin -- CSRF vulnerabilities (19b17ab4-51e0-11db-a5ae-00508d6a62df)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "phpMyAdmin team reports : We received a security advisory from Stefan Esser ([email protected]) and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link." ); # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5 script_set_attribute( attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2006-5/" ); # https://vuxml.freebsd.org/freebsd/19b17ab4-51e0-11db-a5ae-00508d6a62df.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?51b1bc5a" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/28"); script_set_attribute(attribute:"patch_publication_date", value:"2006/10/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"phpMyAdmin<2.9.0.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id PHPMYADMIN_291.NASL description The version of phpMyAdmin installed on the remote host allows an unauthenticated attacker to bypass variable blacklisting in its globalization routine and destroy, for example, the contents of session variables. last seen 2020-06-01 modified 2020-06-02 plugin id 22512 published 2006-10-06 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22512 title phpMyAdmin < 2.9.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22512); script_version("1.15"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id("CVE-2006-5116"); script_bugtraq_id(20253); script_name(english:"phpMyAdmin < 2.9.1 Multiple Vulnerabilities"); script_summary(english:"Tries to pass in a numeric key in phpMyAdmin"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that suffers from multiple issues." ); script_set_attribute(attribute:"description", value: "The version of phpMyAdmin installed on the remote host allows an unauthenticated attacker to bypass variable blacklisting in its globalization routine and destroy, for example, the contents of session variables." ); script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_072006.130.html" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Oct/5" ); script_set_attribute(attribute:"see_also", value:"http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5" ); script_set_attribute(attribute:"solution", value: "Upgrade to phpMyAdmin version 2.9.0.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/10/06"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/09/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("phpMyAdmin_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpMyAdmin", "www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, php: 1); # Test an install. install = get_kb_item(string("www/", port, "/phpMyAdmin")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Grab index.php. url = string(dir, "/index.php"); res = http_get_cache(item:url, port:port, exit_on_fail: 1); # Don't check if we see an error like the one we'll try to generate. if ( "Fatal error" >< res || "Call to a member function on a non-object in" >< res ) exit(0); # Try to overwrite $_SESSION via 'libraries/grab_globals.lib.php'. # If successful, this will lead to a fatal error later in # 'libraries/common.lib.php'. bound = "bound"; boundary = string("--", bound); postdata = string( boundary, "\r\n", 'Content-Disposition: form-data; name="_SESSION"; filename="nessus";', "\r\n", "Content-Type: text/plain\r\n", "\r\n", "foo\r\n", boundary, "--", "\r\n" ); r = http_send_recv3(method:"POST", item: url, version: 11, port:port, exit_on_fail: 1, content_type: "multipart/form-data; boundary="+bound, data: postdata); res = r[2]; # There's a problem if we see a fatal error. if (res && "Call to a member function on a non-object in" >< res) security_warning(port); # what to do if (res == NULL) (eg, error display is disable but # app is vulnerable)??? }NASL family SuSE Local Security Checks NASL id SUSE_PHPMYADMIN-2300.NASL description This patch upgrades the phpMyAdmin package to version 2.9.1.1, including fixes for the security problems tracked by the Mitre CVE IDs CVE-2006-3388, CVE-2006-5116, CVE-2006-5117, and CVE-2006-5718. last seen 2020-06-01 modified 2020-06-02 plugin id 27395 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27395 title openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-2300) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1207.NASL description The phpmyadmin update in DSA 1207 introduced a regression. This update corrects this flaw. For completeness, please find below the original advisory text : Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2005-3621 CRLF injection vulnerability allows remote attackers to conduct HTTP response splitting attacks. - CVE-2005-3665 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation. - CVE-2006-1678 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via scripts in the themes directory. - CVE-2006-2418 A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the db parameter of footer.inc.php. - CVE-2006-5116 A remote attacker could overwrite internal variables through the _FILES global variable. last seen 2020-06-01 modified 2020-06-02 plugin id 23656 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23656 title Debian DSA-1207-2 : phpmyadmin - several vulnerabilities
References
- http://attrition.org/pipermail/vim/2006-October/001067.html
- http://lists.suse.com/archive/suse-security-announce/2006-Nov/0010.html
- http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download
- http://secunia.com/advisories/22126
- http://secunia.com/advisories/22781
- http://secunia.com/advisories/23086
- http://securityreason.com/securityalert/1677
- http://www.debian.org/security/2006/dsa-1207
- http://www.hardened-php.net/advisory_072006.130.html
- http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5
- http://www.securityfocus.com/archive/1/447491/100/0/threaded
- http://www.securityfocus.com/bid/20253
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29301