Vulnerabilities > CVE-2008-3456 - Link Following vulnerability in PHPmyadmin

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
phpmyadmin
CWE-59
nessus
NVD
Published: 2008-08-04
Updated: 2017-08-08

Summary

phpMyAdmin before 2.11.8 does not sufficiently prevent its pages from using frames that point to pages in other domains, which makes it easier for remote attackers to conduct spoofing or phishing activities via a cross-site framing attack.

Vulnerable Configurations

Part Description Count
Application
Phpmyadmin
93

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Symlink Attack
    An attacker positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name. The endpoint file may be either output or input. If the file is output, the result is that the endpoint is modified, instead of a file at the intended location. Modifications to the endpoint file may include appending, overwriting, corrupting, changing permissions, or other modifications. In some variants of this attack the attacker may be able to control the change to a file while in other cases they cannot. The former is especially damaging since the attacker may be able to grant themselves increased privileges or insert false information, but the latter can also be damaging as it can expose sensitive information or corrupt or destroy vital system or application files. Alternatively, the endpoint file may serve as input to the targeted application. This can be used to feed malformed input into the target or to cause the target to process different information, possibly allowing the attacker to control the actions of the target or to cause the target to expose information to the attacker. Moreover, the actions taken on the endpoint file are undertaken with the permissions of the targeted user or application, which may exceed the permissions that the attacker would normally have.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_PHPMYADMIN-5781.NASL
    descriptionThis update of phpMyAdmin fixes the following bugs : - CVE-2008-1149: SQL injection, CSRF attacks using crafted cookies - CVE-2008-1567: local users can steal session information/credentials - CVE-2008-1924: in a shared host environment users with CREAT permissions can read arbitrary files - CVE-2008-3456: cross-site framing attack - CVE-2008-3457: user-assisted XSS attack
    last seen2020-06-01
    modified2020-06-02
    plugin id34813
    published2008-11-18
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34813
    titleopenSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5781)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update phpMyAdmin-5781.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(34813);
  script_version ("1.9");
  script_cvs_date("Date: 2019/10/25 13:36:33");

  script_cve_id("CVE-2008-1149", "CVE-2008-1567", "CVE-2008-1924", "CVE-2008-3456", "CVE-2008-3457");

  script_name(english:"openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5781)");
  script_summary(english:"Check for the phpMyAdmin-5781 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update of phpMyAdmin fixes the following bugs :

  - CVE-2008-1149: SQL injection, CSRF attacks using crafted
    cookies

  - CVE-2008-1567: local users can steal session
    information/credentials

  - CVE-2008-1924: in a shared host environment users with
    CREAT permissions can read arbitrary files

  - CVE-2008-3456: cross-site framing attack

  - CVE-2008-3457: user-assisted XSS attack"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected phpMyAdmin package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
  script_cwe_id(59, 79, 89, 200, 352);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:phpMyAdmin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/11/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/18");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE10\.2|SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.2 / 10.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE10.2", reference:"phpMyAdmin-2.9.1.1-9") ) flag++;
if ( rpm_check(release:"SUSE10.3", reference:"phpMyAdmin-2.11.9-0.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
}
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-6868.NASL
    descriptionThis update solves PMASA-2008-6 (phpMyAdmin security announcement) from 2008-07-28: Cross-site Framing; XSS in setup.php; see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6 - [interface] Table list pagination in navi - [profiling] Profiling causes query to be executed again (really causes a problem in case of INSERT/UPDATE) - [import] SQL file import very slow on Windows - [XHTML] problem with tabindex and radio fields - [interface] tabindex not set correctly - [views] VIEW name created via the GUI was not protected with backquotes - [interface] Deleting multiple views (space in name) - [parser] SQL parser removes essential space - [export] CSV for MS Excel incorrect escaping of double quotes - [interface] Font size option problem when no config file - [relation] Relationship view should check for changes - [history] Do not save too big queries in history - [security] Do not show version info on login screen - [import] Potential data loss on import resubmit - [export] Safari and timedate - [import, export] Import/Export fails because of Mac files - [security] protection against cross- frame scripting and new directive AllowThirdPartyFraming - [security] possible XSS during setup - [interface] revert language changing problem introduced with 2.11.7.1 phpMyAdmin 2.11.8.1 is a bugfix-only version containing normal bug fixes and two security fixes. This version is identical to 2.11.8, except it includes a fix for a notice about
    last seen2020-06-01
    modified2020-06-02
    plugin id33769
    published2008-07-31
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33769
    titleFedora 9 : phpMyAdmin-2.11.8.1-1.fc9 (2008-6868)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2008-6868.
#

include("compat.inc");

if (description)
{
  script_id(33769);
  script_version ("1.15");
  script_cvs_date("Date: 2019/08/02 13:32:28");

  script_cve_id("CVE-2008-3456", "CVE-2008-3457");
  script_bugtraq_id(30420);
  script_xref(name:"FEDORA", value:"2008-6868");

  script_name(english:"Fedora 9 : phpMyAdmin-2.11.8.1-1.fc9 (2008-6868)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update solves PMASA-2008-6 (phpMyAdmin security announcement)
from 2008-07-28: Cross-site Framing; XSS in setup.php; see
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6 -
[interface] Table list pagination in navi - [profiling] Profiling
causes query to be executed again (really causes a problem in case of
INSERT/UPDATE) - [import] SQL file import very slow on Windows -
[XHTML] problem with tabindex and radio fields - [interface] tabindex
not set correctly - [views] VIEW name created via the GUI was not
protected with backquotes - [interface] Deleting multiple views (space
in name) - [parser] SQL parser removes essential space - [export] CSV
for MS Excel incorrect escaping of double quotes - [interface] Font
size option problem when no config file - [relation] Relationship view
should check for changes - [history] Do not save too big queries in
history - [security] Do not show version info on login screen -
[import] Potential data loss on import resubmit - [export] Safari and
timedate - [import, export] Import/Export fails because of Mac files -
[security] protection against cross- frame scripting and new directive
AllowThirdPartyFraming - [security] possible XSS during setup -
[interface] revert language changing problem introduced with 2.11.7.1
phpMyAdmin 2.11.8.1 is a bugfix-only version containing normal bug
fixes and two security fixes. This version is identical to 2.11.8,
except it includes a fix for a notice about 'lang'.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2008-6/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=456637"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2008-July/013196.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?dff8dd45"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected phpMyAdmin package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(59, 79);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:phpMyAdmin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/07/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC9", reference:"phpMyAdmin-2.11.8.1-1.fc9")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
}
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1641.NASL
    descriptionSeveral remote vulnerabilities have been discovered in phpMyAdmin, a tool to administrate MySQL databases over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-4096 Remote authenticated users could execute arbitrary code on the host running phpMyAdmin through manipulation of a script parameter. - CVE-2008-3457 Cross site scripting through the setup script was possible in rare circumstances. - CVE-2008-3456 Protection has been added against remote websites loading phpMyAdmin into a frameset. - CVE-2008-3197 Cross site request forgery allowed remote attackers to create a new database, but not perform any other action on it.
    last seen2020-06-01
    modified2020-06-02
    plugin id34254
    published2008-09-23
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34254
    titleDebian DSA-1641-1 : phpmyadmin - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-1641. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(34254);
  script_version("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:21");

  script_cve_id("CVE-2008-3197", "CVE-2008-3456", "CVE-2008-3457", "CVE-2008-4096");
  script_bugtraq_id(30420);
  script_xref(name:"DSA", value:"1641");

  script_name(english:"Debian DSA-1641-1 : phpmyadmin - several vulnerabilities");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several remote vulnerabilities have been discovered in phpMyAdmin, a
tool to administrate MySQL databases over the web. The Common
Vulnerabilities and Exposures project identifies the following
problems :

  - CVE-2008-4096
    Remote authenticated users could execute arbitrary code
    on the host running phpMyAdmin through manipulation of a
    script parameter.

  - CVE-2008-3457
    Cross site scripting through the setup script was
    possible in rare circumstances.

  - CVE-2008-3456
    Protection has been added against remote websites
    loading phpMyAdmin into a frameset.

  - CVE-2008-3197
    Cross site request forgery allowed remote attackers to
    create a new database, but not perform any other action
    on it."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-4096"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-3457"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-3456"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2008-3197"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2008/dsa-1641"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the phpmyadmin package.

For the stable distribution (etch), these problems have been fixed in
version 4:2.9.1.1-8."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_cwe_id(20, 59, 79, 352);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpmyadmin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/09/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"4.0", prefix:"phpmyadmin", reference:"4:2.9.1.1-8")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-6810.NASL
    descriptionThis update solves PMASA-2008-6 (phpMyAdmin security announcement) from 2008-07-28: Cross-site Framing; XSS in setup.php; see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6 - [interface] Table list pagination in navi - [profiling] Profiling causes query to be executed again (really causes a problem in case of INSERT/UPDATE) - [import] SQL file import very slow on Windows - [XHTML] problem with tabindex and radio fields - [interface] tabindex not set correctly - [views] VIEW name created via the GUI was not protected with backquotes - [interface] Deleting multiple views (space in name) - [parser] SQL parser removes essential space - [export] CSV for MS Excel incorrect escaping of double quotes - [interface] Font size option problem when no config file - [relation] Relationship view should check for changes - [history] Do not save too big queries in history - [security] Do not show version info on login screen - [import] Potential data loss on import resubmit - [export] Safari and timedate - [import, export] Import/Export fails because of Mac files - [security] protection against cross- frame scripting and new directive AllowThirdPartyFraming - [security] possible XSS during setup - [interface] revert language changing problem introduced with 2.11.7.1 phpMyAdmin 2.11.8.1 is a bugfix-only version containing normal bug fixes and two security fixes. This version is identical to 2.11.8, except it includes a fix for a notice about
    last seen2020-06-01
    modified2020-06-02
    plugin id33765
    published2008-07-31
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33765
    titleFedora 8 : phpMyAdmin-2.11.8.1-1.fc8 (2008-6810)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2008-6810.
#

include("compat.inc");

if (description)
{
  script_id(33765);
  script_version ("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:28");

  script_cve_id("CVE-2008-3456", "CVE-2008-3457");
  script_bugtraq_id(30420);
  script_xref(name:"FEDORA", value:"2008-6810");

  script_name(english:"Fedora 8 : phpMyAdmin-2.11.8.1-1.fc8 (2008-6810)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update solves PMASA-2008-6 (phpMyAdmin security announcement)
from 2008-07-28: Cross-site Framing; XSS in setup.php; see
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6 -
[interface] Table list pagination in navi - [profiling] Profiling
causes query to be executed again (really causes a problem in case of
INSERT/UPDATE) - [import] SQL file import very slow on Windows -
[XHTML] problem with tabindex and radio fields - [interface] tabindex
not set correctly - [views] VIEW name created via the GUI was not
protected with backquotes - [interface] Deleting multiple views (space
in name) - [parser] SQL parser removes essential space - [export] CSV
for MS Excel incorrect escaping of double quotes - [interface] Font
size option problem when no config file - [relation] Relationship view
should check for changes - [history] Do not save too big queries in
history - [security] Do not show version info on login screen -
[import] Potential data loss on import resubmit - [export] Safari and
timedate - [import, export] Import/Export fails because of Mac files -
[security] protection against cross- frame scripting and new directive
AllowThirdPartyFraming - [security] possible XSS during setup -
[interface] revert language changing problem introduced with 2.11.7.1
phpMyAdmin 2.11.8.1 is a bugfix-only version containing normal bug
fixes and two security fixes. This version is identical to 2.11.8,
except it includes a fix for a notice about 'lang'.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-6
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.phpmyadmin.net/security/PMASA-2008-6/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=456637"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2008-July/013119.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?91edff2b"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected phpMyAdmin package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(59, 79);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:phpMyAdmin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:8");

  script_set_attribute(attribute:"patch_publication_date", value:"2008/07/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/31");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 8.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC8", reference:"phpMyAdmin-2.11.8.1-1.fc8")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
}

Seebug

bulletinFamilyexploit
descriptionBugCVE: CVE-2008-3456,CVE-2008-3457 BUGTRAQ: 30420 phpMyAdmin的scripts/setup.php文件中show_overview ($title, $list, $buttons = '')函数没有正确地过滤685行echo $val[1]输入参数便返回给了用户,如果用户受骗跟随了恶意链接的话就会导致在用户浏览器会话中执行任意HTML和脚本代码。 phpMyAdmin &lt; 2.11.8 Debian ------ Debian已经为此发布了一个安全公告(DSA-1641-1)以及相应补丁: DSA-1641-1:New phpmyadmin packages fix several issues 链接:<a href=http://www.debian.org/security/2008/dsa-1641 target=_blank>http://www.debian.org/security/2008/dsa-1641</a> 补丁下载: Source archives: <a href=http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-8.dsc target=_blank>http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-8.dsc</a> Size/MD5 checksum: 1011 37114453aaf82b81dce82755e64ec033 <a href=http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-8.diff.gz target=_blank>http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-8.diff.gz</a> Size/MD5 checksum: 54521 a5b37a0f2d161337cc2acd5653c42312 <a href=http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1.orig.tar.gz target=_blank>http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1.orig.tar.gz</a> Size/MD5 checksum: 3500563 f598509b308bf96aee836eb2338f523c Architecture independent packages: <a href=http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-8_all.deb target=_blank>http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-8_all.deb</a> Size/MD5 checksum: 3607794 01749fe13d966bba1c6394ff2c185204 补丁安装方法: 1. 手工安装补丁包: 首先,使用下面的命令来下载补丁软件: # wget url (url是补丁下载链接地址) 然后,使用下面的命令来安装补丁: # dpkg -i file.deb (file是相应的补丁名) 2. 使用apt-get自动安装补丁包: 首先,使用下面的命令更新内部数据库: # apt-get update 然后,使用下面的命令安装更新软件包: # apt-get upgrade phpMyAdmin ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.8.1-all-languages.tar.gz?download target=_blank>http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.8.1-all-languages.tar.gz?download</a>
idSSV:4337
last seen2017-11-19
modified2008-10-26
published2008-10-26
reporterRoot
titlephpMyAdmin setup.php文件跨站脚本执行漏洞

References