Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-2507

Overview

Vulnerability Score 6.5 6.5
CVE Id CVE-2011-2507
Last Modified 25 Oct 2011 10:59:51
Published 14 Jul 2011 07:55:04
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2011-2507

Summary

libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array.

Vulnerable Systems

Application

  • Phpmyadmin 3.0.0

  • Phpmyadmin 3.0.1

  • Phpmyadmin 3.0.1.1

  • Phpmyadmin 3.1.0

  • Phpmyadmin 3.1.1

  • Phpmyadmin 3.1.2

  • Phpmyadmin 3.1.3

  • Phpmyadmin 3.1.3.1

  • Phpmyadmin 3.1.3.2

  • Phpmyadmin 3.1.4

  • Phpmyadmin 3.1.5

  • Phpmyadmin 3.2.0

  • Phpmyadmin 3.2.1

  • Phpmyadmin 3.2.2

  • Phpmyadmin 3.3.0.0

  • Phpmyadmin 3.3.1.0

  • Phpmyadmin 3.3.10.0

  • Phpmyadmin 3.3.10.1

  • Phpmyadmin 3.3.2.0

  • Phpmyadmin 3.3.3.0

  • Phpmyadmin 3.3.4.0

  • Phpmyadmin 3.3.5.0

  • Phpmyadmin 3.3.5.1

  • Phpmyadmin 3.3.6

  • Phpmyadmin 3.3.7

  • Phpmyadmin 3.3.8

  • Phpmyadmin 3.3.8.1

  • Phpmyadmin 3.3.9.0

  • Phpmyadmin 3.3.9.1

  • Phpmyadmin 3.3.9.2

  • Phpmyadmin 3.4.0.0

  • Phpmyadmin 3.4.1.0

  • Phpmyadmin 3.4.2.0

  • Phpmyadmin 3.4.3.0


References

CONFIRM - http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php

CONFIRM - http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=69fb0f8e7dc38075427aceaf09bcac697d0590ff

MISC - http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt

BUGTRAQ - 20110707 phpMyAdmin 3.x Multiple Remote Code Executions

OSVDB - 73613

MLIST - [oss-security] 20110629 Re: CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities

MLIST - [oss-security] 20110628 Re: [Phpmyadmin-security] CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities

MLIST - [oss-security] 20110628 Re: CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities

MLIST - [oss-security] 20110628 CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities

MANDRIVA - MDVSA-2011:124

DEBIAN - DSA-2286

CONFIRM - http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/

SREASON - 8306

SECUNIA - 45315

SECUNIA - 45292

SECUNIA - 45139

FEDORA - FEDORA-2011-9144

MISC - http://ha.xxor.se/2011/07/phpmyadmin-3x-pregreplace-rce-poc.html

MISC - http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html


Last Updated: 27 May 2016 10:57:02