Vulnerability Scanning Solutions, LLC.
Our Process
What We Scan For
Sample Report
Client List
Contact Us
What We Scan For
Family: Gentoo Local Security Checks --> Category: infos

[GLSA-200510-21] phpMyAdmin: Local file inclusion and XSS vulnerabilities Vulnerability Scan

Vulnerability Scan Summary
phpMyAdmin: Local file inclusion and XSS vulnerabilities

Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200510-21
(phpMyAdmin: Local file inclusion and XSS vulnerabilities)

Stefan Esser discovered that by calling certain PHP files
directly, it was possible to workaround the grab_globals.lib.php
security model and overwrite the $cfg configuration array. Systems
running PHP in safe mode are not affected. Futhermore, Tobias Klein
reported several cross-site-scripting issues resulting from
insufficient user input sanitizing.


A local attacker may exploit this vulnerability by sending
malicious requests, causing the execution of arbitrary code with the
rights of the user running the web server. Furthermore, the cross-site
scripting issues give a remote attacker the ability to inject and
execute malicious script code or to steal cookie-based authentication
credentials, potentially compromising the victim's browser.


There is no known workaround for all those issues at this time.


All phpMyAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.4_p3"

Threat Level: Medium

Click HERE for more information and discussions on this network vulnerability scan.


P.O. Box 827051

Pembroke Pines, FL 33082-7051

Vulnerability Scanning Solutions, LLC.