=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN039
_____________________________________________________________________

DATE                      : 18/01/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running phpMyAdmin versions 2 prior to 2.11.10.

======================================================================
http://www.phpmyadmin.net/home_page/security/PMASA-2010-1.php
http://www.phpmyadmin.net/home_page/security/PMASA-2010-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php
______________________________________________________________________


PMASA-2010-1

Announcement-ID: PMASA-2010-1

Date: 2010-01-15

Summary

Unsafe handling of temporary directory

Description

phpMyAdmin used to automatically create temporary world writable
directory what could lead to possible misuse of it.

Severity

We consider these vulnerabilities to be not critical.
Affected Versions

For 2.11.x: versions before 2.11.10 are affected.


Unaffected Versions

3.x releases are not affected.


Solution

Upgrade to phpMyAdmin 3.0.0 or 2.11.10.


References

We wish to thank to Thijs Kinkhorst for pointing out this issue.

Assigned CVE ids: CVE-2008-7251

Patches

Revision 11536 was applied to all affected branches.

For further information and in case of questions, please contact
the phpMyAdmin team. Our website is http://www.phpmyadmin.net.

______________________________________________________________________


PMASA-2010-2

Announcement-ID: PMASA-2010-2

Date: 2010-01-15


Summary

Unsafe handling of temporary files


Description

phpMyAdmin created temporary files with predictable file name.


Severity

We consider these vulnerabilities to be not critical.


Affected Versions

For 2.11.x: versions before 2.11.10 are affected.


Unaffected Versions

3.x releases are not affected.


Solution

Upgrade to phpMyAdmin 3.0.0 or 2.11.10.


References

We wish to thank to Thijs Kinkhorst for pointing out this issue.

Assigned CVE ids: CVE-2008-7252


Patches

Revision 11528 was applied to all affected branches.

For further information and in case of questions, please contact the
phpMyAdmin team. Our website is http://www.phpmyadmin.net.
___________________________________________________________________


PMASA-2010-3

Announcement-ID: PMASA-2010-3

Date: 2010-01-15


Summary

Unsafe usage of unserialize function.


Description

phpMyAdmin used the unserialize() PHP function on potentially unsafe
data in setup script, what could be potentially used for XSRF attack.


Severity

We consider these vulnerabilities to be not critical.


Affected Versions

For 2.11.x: versions before 2.11.10 are affected.


Unaffected Versions

3.x releases are not affected.


Solution

Upgrade to phpMyAdmin 3.0.0 or 2.11.10.


References

We wish to thank to Thomas Biege and Sebastian Krahmer for pointing
out this issue.

Assigned CVE ids: CVE-2009-4605


Patches

Revision 13149 was applied to all affected branches.

For further information and in case of questions, please contact the phpMyAdmin
team. Our website is http://www.phpmyadmin.net.



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================