MDVSA-2010:163

Package name

phpmyadmin

Date

2010-08-30

Advisory ID

MDVSA-2010:163

Affected versions

CS4.0 x86_64 , CS4.0 i586

Problem description

Multiple vulnerabilities has been found and corrected in phpmyadmin:

The setup script used to generate configuration can be fooled using
a crafted POST request to include arbitrary PHP code in generated
configuration file. Combined with the ability to save files on the
server, this can allow unauthenticated users to execute arbitrary
PHP code (CVE-2010-3055).

It was possible to conduct a XSS attack using crafted URLs or POST
parameters on several pages (CVE-2010-3056).

This upgrade provides phpmyadmin 2.11.10.1 which is not vulnerable
for these security issues.

Updated packages

CS4.0 x86_64

 98128e82ba787753668e820f5cd807c9  corporate/4.0/x86_64/phpMyAdmin-2.11.10.1-0.1.20060mlcs4.noarch.rpm 
 23ff812db8b70606ddd2961b9bc50f83  corporate/4.0/SRPMS/phpMyAdmin-2.11.10.1-0.1.20060mlcs4.src.rpm

CS4.0 i586

 55f0a4869ae0e3f96583f124b0a85ef5  corporate/4.0/i586/phpMyAdmin-2.11.10.1-0.1.20060mlcs4.noarch.rpm 
 23ff812db8b70606ddd2961b9bc50f83  corporate/4.0/SRPMS/phpMyAdmin-2.11.10.1-0.1.20060mlcs4.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3056
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3055