FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2009-1151

This CVE name corresponds to:

Entered Topic
2009-03-25 phpmyadmin -- insufficient output sanitizing when generating configuration file

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2009-1151
Phase Assigned(20090326)

Description

Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.

References

Source Reference
BUGTRAQ 20090609 CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
MILW0RM 8921
MISC http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/
MISC http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/
CONFIRM http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301
CONFIRM http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
DEBIAN DSA-1824
GENTOO GLSA-200906-03
MANDRIVA MDVSA-2009:115
SUSE SUSE-SR:2009:008
BID 34236
SECUNIA 34430
SECUNIA 34642
SECUNIA 35585
SECUNIA 35635