MDVSA-2011:000

Package name

phpmyadmin

Date

2011-01-05

Advisory ID

MDVSA-2011:000

Affected versions

CS4.0 x86_64 , MES5 i586 , CS4.0 i586 , MES5 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in phpmyadmin:

error.php in PhpMyAdmin 3.3.8.1 and earlier allows remote attackers
to conduct cross-site scripting (XSS) attacks via a crafted BBcode
tag containing @ characters, as demonstrated using [a@url@page]
(CVE-2010-4480).

phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass
authentication and obtain sensitive information via a direct request
to phpinfo.php, which calls the phpinfo function (CVE-2010-4481).

This upgrade provides the latest phpmyadmin version for MES5 (3.3.9)
and patches the version for CS4 to address these vulnerabilities.

Updated packages

CS4.0 x86_64

 b327495c075fd3eaa4809b3e3bd07984  corporate/4.0/x86_64/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.noarch.rpm 
 b30f2eea3b1c157c528bd44ba2576f5d  corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.src.rpm

MES5 i586

 d0c008da55aa4fa7fe0892d15e15a87a  mes5/i586/phpmyadmin-3.3.9-0.1mdvmes5.1.noarch.rpm 
 17ffcad097ff3dfee9d679c85ffd3ef9  mes5/SRPMS/phpmyadmin-3.3.9-0.1mdvmes5.1.src.rpm

CS4.0 i586

 d07101ccc36cf4e67ae86a8ddc5d5310  corporate/4.0/i586/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.noarch.rpm 
 b30f2eea3b1c157c528bd44ba2576f5d  corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.src.rpm

MES5 x86_64

 86d7b84ba88a87e5cc18c7531b7c8e95  mes5/x86_64/phpmyadmin-3.3.9-0.1mdvmes5.1.noarch.rpm 
 17ffcad097ff3dfee9d679c85ffd3ef9  mes5/SRPMS/phpmyadmin-3.3.9-0.1mdvmes5.1.src.rpm

References

• http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php
• http://www.phpmyadmin.net/home_page/security/PMASA-2010-9.php
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4481