漏洞信息详情

phpMyAdmin 'export page' 跨站脚本攻击漏洞

• CNNVD编号：CNNVD-200903-474
• 危害等级： 中危
  
• CVE编号： CVE-2009-1150
• 漏洞类型： 跨站脚本
• 发布时间： 2009-03-26
• 威胁类型： 远程
• 更新时间： 2009-05-23
• 厂        商： phpmyadmin
• 漏洞来源： Manuel Lopez Galle...

漏洞简介

phpMyAdmin是一个免费的MySQL数据管理工具软件，PHP写的旨在处理在万维网和操作MySQL。

phpMyAdmin的输出页(display_export.lib.php)中存在多个跨站脚本攻击漏洞。远程攻击者可以借助pma_db_filename_template cookie，注入任意web脚本或HTML。

漏洞公告

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

Debian Linux 5.0 ia-64

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

Debian Linux 5.0 alpha

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

Debian Linux 5.0 mipsel

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

Debian Linux 4.0 amd64

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 4.0 ia-32

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 4.0 hppa

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 4.0 armel

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 5.0 armel

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

Debian Linux 5.0

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

Debian Linux 4.0 mipsel

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 5.0 mips

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

phpMyAdmin

phpMyAdmin 3.0.1.1

phpMyAdmin-3.1.3.1-all-languages.tar.gz

http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-3.1.3.1-all-languages.tar.gz

Debian Linux 4.0 ia-64

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 4.0 mips

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 5.0 sparc

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

phpMyAdmin

phpMyAdmin 2.11.9.3

phpMyAdmin-2.11.9.5-all-languages.tar.gz

http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.9.5-all-languages.tar.gz

Debian Linux 4.0 arm

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 4.0 powerpc

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

Debian Linux 4.0 m68k

Debian phpmyadmin_2.9.1.1-11_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.9.1.1-11_all.deb

phpMyAdmin

phpMyAdmin 2.11.2.2

phpMyAdmin-2.11.9.5-all-languages.tar.gz

http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.9.5-all-languages.tar.gz

Debian Linux 5.0 ia-32

Debian phpmyadmin_2.11.8.1-5+lenny1_all.deb

http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny1_all.deb

phpMyAdmin

phpMyAdmin 2.11.5

phpMyAdmin-2.11.9.5-all-languages.tar.gz

http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.9.5-all-languages.tar.gz

phpMyAdmin

phpMyAdmin 2.11.5 1

phpMyAdmin-2.11.9.5-all-languages.tar.gz

http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.9.5-all-languages.tar.gz

phpMyAdmin

phpMyAdmin 2.11.7

phpMyAdmin-2.11.9.5-all-languages.tar.gz

http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.9.5-all-languages.tar.gz

phpMyAdmin

phpMyAdmin 2.11.9 .1

参考网址

来源: www.phpmyadmin.net

链接: http://www.phpmyadmin.net/home_page/security/PMASA-2009-2.php

来源: BID

名称: 34251

链接: http://www.securityfocus.com/bid/34251

来源: MANDRIVA

名称: MDVSA-2009:115

链接: http://www.mandriva.com/security/advisories?name=MDVSA-2009:115

来源: DEBIAN

名称: DSA-1824

链接: http://www.debian.org/security/2009/dsa-1824

来源: GENTOO

名称: GLSA-200906-03

链接: http://security.gentoo.org/glsa/glsa-200906-03.xml

来源: SECUNIA

名称: 35635

链接: http://secunia.com/advisories/35635

来源: SECUNIA

名称: 35585

链接: http://secunia.com/advisories/35585

来源: SECUNIA

名称: 34642

链接: http://secunia.com/advisories/34642

来源: SECUNIA

名称: 34430

链接: http://secunia.com/advisories/34430

来源: phpmyadmin.svn.sourceforge.net

链接: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/libraries/display_export.lib.php?r1=11986&r2=12302&pathrev=12302

来源: SUSE

名称: SUSE-SR:2009:008

链接:http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.HTML

受影响实体

• Phpmyadmin Phpmyadmin:3.1.3:Rc1  
• Phpmyadmin Phpmyadmin:3.1.2  
• Phpmyadmin Phpmyadmin:3.1.2:Rc1  
• Phpmyadmin Phpmyadmin:3.1.1  
• Phpmyadmin Phpmyadmin:3.1.1:Rc1  

补丁

暂无