Lucene search

[email protected]NVD:CVE-2011-2507

HistoryJul 14, 2011 - 11:55 p.m.

CVE-2011-2507

2011-07-1423:55:04

CWE-94

[email protected]

web.nvd.nist.gov

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

6.7

Confidence

Low

EPSS

0.166

Percentile

96.0%

JSON

libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array.

Affected configurations

Nvd

Node

phpmyadminphpmyadminMatch3.0.0

phpmyadminphpmyadminMatch3.0.0alpha

phpmyadminphpmyadminMatch3.0.0beta

phpmyadminphpmyadminMatch3.0.0rc1

phpmyadminphpmyadminMatch3.0.1

phpmyadminphpmyadminMatch3.0.1rc1

phpmyadminphpmyadminMatch3.0.1.1

phpmyadminphpmyadminMatch3.1.0

phpmyadminphpmyadminMatch3.1.0beta1

phpmyadminphpmyadminMatch3.1.1

phpmyadminphpmyadminMatch3.1.1rc1

phpmyadminphpmyadminMatch3.1.2

phpmyadminphpmyadminMatch3.1.2rc1

phpmyadminphpmyadminMatch3.1.3

phpmyadminphpmyadminMatch3.1.3rc1

phpmyadminphpmyadminMatch3.1.3.1

phpmyadminphpmyadminMatch3.1.3.2

phpmyadminphpmyadminMatch3.1.4

phpmyadminphpmyadminMatch3.1.4rc2

phpmyadminphpmyadminMatch3.1.5

phpmyadminphpmyadminMatch3.1.5rc1

phpmyadminphpmyadminMatch3.2.0

phpmyadminphpmyadminMatch3.2.0beta1

phpmyadminphpmyadminMatch3.2.0rc1

phpmyadminphpmyadminMatch3.2.1

phpmyadminphpmyadminMatch3.2.1rc1

phpmyadminphpmyadminMatch3.2.2

phpmyadminphpmyadminMatch3.2.2rc1

phpmyadminphpmyadminMatch3.3.0.0

phpmyadminphpmyadminMatch3.3.1.0

phpmyadminphpmyadminMatch3.3.2.0

phpmyadminphpmyadminMatch3.3.3.0

phpmyadminphpmyadminMatch3.3.4.0

phpmyadminphpmyadminMatch3.3.5.0

phpmyadminphpmyadminMatch3.3.5.1

phpmyadminphpmyadminMatch3.3.6

phpmyadminphpmyadminMatch3.3.7

phpmyadminphpmyadminMatch3.3.8

phpmyadminphpmyadminMatch3.3.8.1

phpmyadminphpmyadminMatch3.3.9.0

phpmyadminphpmyadminMatch3.3.9.1

phpmyadminphpmyadminMatch3.3.9.2

phpmyadminphpmyadminMatch3.3.10.0

phpmyadminphpmyadminMatch3.3.10.1

Node

phpmyadminphpmyadminMatch3.4.0.0

phpmyadminphpmyadminMatch3.4.1.0

phpmyadminphpmyadminMatch3.4.2.0

phpmyadminphpmyadminMatch3.4.3.0

References

0x6a616d6573.blogspot.com/2011/07/phpmyadmin-fud.html

ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html

ha.xxor.se/2011/07/phpmyadmin-3x-pregreplace-rce-poc.html

lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html

phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=69fb0f8e7dc38075427aceaf09bcac697d0590ff

secunia.com/advisories/45139

secunia.com/advisories/45292

secunia.com/advisories/45315

securityreason.com/securityalert/8306

typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/

www.debian.org/security/2011/dsa-2286

www.mandriva.com/security/advisories?name=MDVSA-2011:124

www.openwall.com/lists/oss-security/2011/06/28/2

www.openwall.com/lists/oss-security/2011/06/28/6

www.openwall.com/lists/oss-security/2011/06/28/8

www.openwall.com/lists/oss-security/2011/06/29/11

www.osvdb.org/73613

www.phpmyadmin.net/home_page/security/PMASA-2011-7.php

www.securityfocus.com/archive/1/518804/100/0/threaded

www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

6.7

Confidence

Low

EPSS

0.166

Percentile

96.0%

JSON

Related for NVD:CVE-2011-2507

debiancve1 prion1 ubuntucve1 cve1 cvelist1 phpmyadmin1 dsquare1 openvas10 packetstorm1 securityvulns3 nessus5 seebug2 freebsd1 osv1 debian1 gentoo1