#VU44863 Path traversal in phpMyAdmin
Vulnerability identifier: #VU44863
Vulnerability risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-22
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
phpMyAdmin
Web applications /
Remote management & hosting panels
Vendor: phpMyAdmin
Description
The vulnerability allows a remote #AU# to read and manipulate data.
Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) libraries/schema/User_Schema.class.php and (2) schema_export.php.
Mitigation
Install update from vendor's website.
Vulnerable software versions
phpMyAdmin: 3.4.0.0 - 3.4.3.1
External links
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063410.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063418.html
http://osvdb.org/74111
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=3ae58f0cd6b89ad4767920f9b214c38d3f6d4393
http://secunia.com/advisories/45365
http://secunia.com/advisories/45515
http://www.mandriva.com/security/advisories?name=MDVSA-2011:124
http://www.openwall.com/lists/oss-security/2011/07/25/4
http://www.openwall.com/lists/oss-security/2011/07/26/10
http://www.phpmyadmin.net/home_page/security/PMASA-2011-11.php
http://www.securityfocus.com/bid/48874
http://bugzilla.redhat.com/show_bug.cgi?id=725383
http://exchange.xforce.ibmcloud.com/vulnerabilities/68768
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
