Vulnerability Description
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phpmyadmin | Phpmyadmin | 3.0.0 |
Related Weaknesses (CWE)
References
- http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.htmlExploit
- http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html
- http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba
- http://secunia.com/advisories/45139Vendor Advisory
- http://secunia.com/advisories/45292
- http://secunia.com/advisories/45315
- http://securityreason.com/securityalert/8306
- http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/
- http://www.debian.org/security/2011/dsa-2286
- http://www.exploit-db.com/exploits/17514/Exploit
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:124
- http://www.openwall.com/lists/oss-security/2011/06/28/2
- http://www.openwall.com/lists/oss-security/2011/06/28/6
- http://www.openwall.com/lists/oss-security/2011/06/28/8
- http://www.openwall.com/lists/oss-security/2011/06/29/11
FAQ
What is CVE-2011-2506?
CVE-2011-2506 is a vulnerability with a CVSS score of 7.5 (HIGH). setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to c...
How severe is CVE-2011-2506?
CVE-2011-2506 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-2506?
Check the references section above for vendor advisories and patch information. Affected products include: Phpmyadmin Phpmyadmin.