DSA-1557 phpmyadmin -- insufficient input sanitisingID: oval:org.mitre.oval:def:8041 | Date: (C)2009-12-15 (M)2024-02-19 |
Class: PATCH | Family: unix |
Several remote vulnerabilities have been discovered in phpMyAdmin, an application to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems: Attackers with CREATE table permissions were allowed to read arbitrary files readable by the webserver via a crafted HTTP POST request. The PHP session data file stored the username and password of a logged in user, which in some setups can be read by a local user. Cross site scripting and SQL injection were possible by attackers that had permission to create cookies in the same cookie domain as phpMyAdmin runs in.