U radu programskog paketa phpMyAdmin uočene su višestruke ranjivosti. PhpMyAdmin je paket namijenjen administraciji MySQL baze podataka putem web sučelja. Nedostaci se pojavljuju zbog pogreške u datotekama "error.php" i "phpinfo.php". Napadač može izvesti XSS napad podmetanjem zlonamjerno oblikovane BBcode oznake ili slanjem posebno oblikovanog zahtjeva zaobići postavljena sigurnosna ograničenja te tako doći u posjed osjetljivih informacija. Korisnicima se savjetuje instalacija dostupnih novih inačica koje sadrže ispravke opisanih ranjivosti.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:000
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : phpmyadmin
 Date    : January 5, 2011
 Affected: Corporate 4.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in phpmyadmin:
 
 error.php in PhpMyAdmin 3.3.8.1 and earlier allows remote attackers
 to conduct cross-site scripting (XSS) attacks via a crafted BBcode
 tag containing @ characters, as demonstrated using [a@url@page]
 (CVE-2010-4480).
 
 phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass
 authentication and obtain sensitive information via a direct request
 to phpinfo.php, which calls the phpinfo function (CVE-2010-4481).
 
 This upgrade provides the latest phpmyadmin version for MES5 (3.3.9)
 and patches the version for CS4 to address these vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4481
 http://www.phpmyadmin.net/home_page/security/PMASA-2010-9.php
 http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php
 _______________________________________________________________________

 Updated Packages:

 Corporate 4.0:
 d07101ccc36cf4e67ae86a8ddc5d5310 
corporate/4.0/i586/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.noarch.rpm 
 b30f2eea3b1c157c528bd44ba2576f5d 
corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 b327495c075fd3eaa4809b3e3bd07984 
corporate/4.0/x86_64/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.noarch.rpm 
 b30f2eea3b1c157c528bd44ba2576f5d 
corporate/4.0/SRPMS/phpMyAdmin-2.11.11.1-0.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 d0c008da55aa4fa7fe0892d15e15a87a 
mes5/i586/phpmyadmin-3.3.9-0.1mdvmes5.1.noarch.rpm 
 17ffcad097ff3dfee9d679c85ffd3ef9 
mes5/SRPMS/phpmyadmin-3.3.9-0.1mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 86d7b84ba88a87e5cc18c7531b7c8e95 
mes5/x86_64/phpmyadmin-3.3.9-0.1mdvmes5.1.noarch.rpm 
 17ffcad097ff3dfee9d679c85ffd3ef9 
mes5/SRPMS/phpmyadmin-3.3.9-0.1mdvmes5.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFNJHJymqjQ0CJFipgRAjlRAKC+XaFLBg12smTRby8c+8BMIAlM4gCeO2QZ
byumLQxKE5Xc5noo8UpIlFM=
=BETQ
-----END PGP SIGNATURE-----



Idi na vrh