National Cyber-Alert System

Vulnerability Summary for CVE-2008-5621

Overview

Cross-site request forgery (CSRF) vulnerability in phpMyAdmin 2.11.x before 2.11.9.4 and 3.x before 3.1.1.0 allows remote attackers to perform unauthorized actions as the administrator via a link or IMG tag to tbl_structure.php with a modified table parameter. NOTE: other unspecified pages are also reachable, but they have the same root cause. NOTE: this can be leveraged to conduct SQL injection attacks and execute arbitrary code.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: BID

Name: 32720

Type: Patch Information

Hyperlink:http://www.securityfocus.com/bid/32720

External Source: CONFIRM

Name: http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php

Type: Advisory; Patch Information

Hyperlink:http://www.phpmyadmin.net/home_page/security/PMASA-2008-10.php

External Source: FEDORA

Name: FEDORA-2008-11221

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html

External Source: FEDORA

Name: FEDORA-2008-11221

Hyperlink:https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00784.html

External Source: XF

Name: phpmyadmin-tblstructure-csrf(47168)

Hyperlink:http://xforce.iss.net/xforce/xfdb/47168

External Source: VUPEN

Name: ADV-2008-3501

Hyperlink:http://www.vupen.com/english/advisories/2008/3501

External Source: MLIST

Name: [oss-security] 20090212 CVE-2008-5621 is a duplicate (was: Re: CVE request: phpMyAdmin < 3.1.1.0 (SQL injection through XSRF on several pages ))

Hyperlink:http://www.openwall.com/lists/oss-security/2009/02/12/1

External Source: MILW0RM

Name: 7382

Hyperlink:http://www.milw0rm.com/exploits/7382

External Source: VUPEN

Name: ADV-2008-3402

Hyperlink:http://www.frsirt.com/english/advisories/2008/3402

External Source: DEBIAN

Name: DSA-1723

Hyperlink:http://www.debian.org/security/2009/dsa-1723

External Source: CONFIRM

Name: http://typo3.org/teams/security/security-bulletins/typo3-20081222-1/

Hyperlink:http://typo3.org/teams/security/security-bulletins/typo3-20081222-1/

External Source: SREASON

Name: 4753

Hyperlink:http://securityreason.com/securityalert/4753

External Source: GENTOO

Name: GLSA-200903-32

Hyperlink:http://security.gentoo.org/glsa/glsa-200903-32.xml

External Source: SECUNIA

Name: 33912

Hyperlink:http://secunia.com/advisories/33912

External Source: SECUNIA

Name: 33822

Hyperlink:http://secunia.com/advisories/33822

External Source: SECUNIA

Name: 33246

Hyperlink:http://secunia.com/advisories/33246

External Source: SECUNIA

Name: 33146

Type: Advisory

Hyperlink:http://secunia.com/advisories/33146

External Source: SECUNIA

Name: 33076

Type: Advisory

Hyperlink:http://secunia.com/advisories/33076

External Source: OSVDB

Name: 50894

Hyperlink:http://osvdb.org/50894

External Source: SUSE

Name: SUSE-SR:2009:003

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.html