[ MDVSA-2010:018 ] phpMyAdmin

[dude67]

_______________________________________________________________________

Package : phpMyAdmin
Date : January 19, 2010
Affected: Corporate 4.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in phpMyAdmin:

libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates
a temporary directory with 0777 permissions, which has unknown impact
and attack vectors (CVE-2008-7251).

libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses
predictable filenames for temporary files, which has unknown impact
and attack vectors (CVE-2008-7252).

scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before
2.11.10 calls the unserialize function on the values of the (1)
configuration and (2) v[0] parameters, which might allow remote
attackers to conduct cross-site request forgery (CSRF) attacks via
unspecified vectors (CVE-2009-4605).

This update provides phpMyAdmin 2.11.10, which is not vulnerable to
these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-7251
http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-7252
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-4605
http://www.phpmyadmin.net/home_page/sec ... 2010-1.php
http://www.phpmyadmin.net/home_page/sec ... 2010-2.php
http://www.phpmyadmin.net/home_page/sec ... 2010-3.php
_______________________________________________________________________