=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN319
_____________________________________________________________________

DATE                      : 23/08/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running phpMyAdmin versions 2.11.x, 3.x
                               prior to 2.11.10.1, 3.3.5.1.

======================================================================
http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
______________________________________________________________________

PMASA-2010-4

Announcement-ID: PMASA-2010-4

Date: 2010-08-20

Summary

Insufficient output sanitizing when generating configuration file.


Description

The setup script used to generate configuration can be fooled using a
crafted POST request to include arbitrary PHP code in generated configuration
file. Combined with the ability to save files on the server, this can
allow unauthenticated users to execute arbitrary PHP code.


Severity

We consider this vulnerability to be critical.


Affected Versions

For 2.11.x: versions before 2.11.10.1.


Unaffected Versions

Branch 3.x is not affected by this.


Solution

Upgrade to phpMyAdmin 2.11.10.1 or apply the patch listed below.


References

Thanks to Takeshi Terada of Mitsui Bussan Secure Directions, Inc., who
has discovered this issue and reported it to us. See the reported bug
for more details.

Assigned CVE ids: CVE-2010-3055
Patches

Following commits have been made on 2.11 branch to fix this issue:

    * 30c83acddb58d3bbf940b5f9ec28abf5b235f4d2

More information

For further information and in case of questions, please contact
the phpMyAdmin team. Our website is phpmyadmin.net.
_____________________________________________________________________


PMASA-2010-5

Announcement-ID: PMASA-2010-5

Date: 2010-08-20


Summary

Several XSS vulnerabilities were found in the code.
Description

It was possible to conduct a XSS attack using crafted URLs or POST
parameters on several pages.


Severity

We consider this vulnerability to be serious.


Affected Versions

For 2.11.x: versions before 2.11.10.1 are affected.
For 3.x: versions before 3.3.5.1 are affected.


Solution

Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1 or newer or apply patch listed below.


References

Thanks to Aung Khant from YGN Ethical Hacker Group, Myanmar for reporting
this issue. See their advisory for more details. After this report the team
did audit the code as well and discovered more issues which are fixed as well.

Assigned CVE ids: CVE-2010-3056


Patches

Following commits have been made to fix this issue:

    * 48e909660032ddcbc13172830761e363e7a64d72
    * be0f47a93141e2950ad400b8d22a2a98512825c2
    * cd205cc55a46e3dc0f8883966f5c854f842e1000
    * 7dc6cea06522b2d4af50934c983f3967540a4918
    * 6028221d97efa2a7d56a61ab4c5750d1b2343619
    * 2a1233b69ccc6c64819c2840ca5277c2dde0b9e0
    * fa30188dde357426d339d0d7e29a3969f88d188a
    * 00add5c43f594f80dab6304a5bb35d2e50540d2d
    * c75e41d5d8cdd9bbc745c8cbe2c16998fda1de0c
    * 533e10213590e7ccd83b98a5cd19ba1c3be119dd
    * ea3b718fc379c15e773cc2f18ea4c8ccfa9af57b
    * 7f266483b827fb05a4be11663003418c2ef1c878
    * 5bcd95a42c8ba924d389eafee4d7be80bd4039a3
    * 6d548f7d449b7d4b796949d10a503484f63eaf82
    * d2e0e09e0d402555a6223f0b683fdbfa97821a63
    * f273e6cbf6e2eea7367f7ef9c63c97ea55b92ca0
    * bf60ec82e948450ae18b9e66c48d27da55ebe860
    * 59b3b4916b31fa44f31b1e2d243ca7dda012ba37

Following commits have been made on 2.11 branch to fix this issue:

    * a7c004d8d4069ca3c7d1c221f37b9cab39e36aaf
    * 8b7f07cd954221f276ab11e2c3d98f18deb2f551
    * 1fe1aa6c0e2d85bed1343f4be21d672368e0a9c1
    * 8b8ce64792bb981cefc37a19f29f28f112df1c16
    * a4a54da173440d4c5097aececef56c28c14dc52e
    * c69fca50ee81ff74cda860aad339d4185d32e194
    * c910f4c9ec9af876675d96df3fa65d7fc4551cc6
    * 08e27b89077df26a0f7f0390322bbe80e0437aa1
    * 110c44a7a3117b94b065742606cc6f7bc05f8cd5
    * 4951fd1c854d88e22935fd55d342fcb1670dc8e4
    * 4a50055d52cb1d6ba125b743b0eb422d5549b9c9
    * 0fd0512c9b7344abad60ab9effb7b7537b2b5d08
    * 2051a861f8a968dafc297650036cc7e640a18887
    * a88dbaf305a44107ffb557e9d93512792744af84

More information

For further information and in case of questions, please contact the
phpMyAdmin team. Our website is phpmyadmin.net.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================