CERTA-2008-AVI-114

Vulnerability from certfr_avis - Published: 2008-03-03 - Updated: 2008-03-03

Une vulnérabilité dans phpMyAdmin permet à un utilisateur distant d'effectuer des requêtes SQL arbitraires.

Description

Une vulnérabilité a été identifiée dans phpMyAdmin. Celle-ci est relative à la façon dont sont manipulés les paramètres d'une requête HTTP passée à phpMyAdmin. Cette faille permet, sous certaines conditions, de remplacer un « cookie » légitime par un autre quelconque. Il est alors possible via ce cookie conçu de façon particulière d'effectuer des reqêtes SQL arbitraires.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

phpMyAdmin versions 2.11.4 et antérieures.

Impacted products
Vendor Product Description
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003ephpMyAdmin versions 2.11.4 et  ant\u00e9rieures.\u003c/p\u003e",
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 identifi\u00e9e dans phpMyAdmin. Celle-ci est\nrelative \u00e0 la fa\u00e7on dont sont manipul\u00e9s les param\u00e8tres d\u0027une requ\u00eate\nHTTP pass\u00e9e \u00e0 phpMyAdmin. Cette faille permet, sous certaines\nconditions, de remplacer un \u00ab cookie \u00bb l\u00e9gitime par un autre quelconque.\nIl est alors possible via ce cookie con\u00e7u de fa\u00e7on particuli\u00e8re\nd\u0027effectuer des req\u00eates SQL arbitraires.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [],
  "initial_release_date": "2008-03-03T00:00:00",
  "last_revision_date": "2008-03-03T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 phpMyAdmin PMASA-2008-1 du 01 mars    2008 :",
      "url": "http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1"
    },
    {
      "title": "Site de phpMyAdmin :",
      "url": "http://www.phpmyadmin.net"
    }
  ],
  "reference": "CERTA-2008-AVI-114",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2008-03-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de requ\u00eates SQL"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans phpMyAdmin permet \u00e0 un utilisateur distant\nd\u0027effectuer des requ\u00eates SQL arbitraires.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans phpMyAdmin",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 phpMyAdmin PMASA-2008-1 du 01 mars 2008",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.