Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 237781 (CVE-2008-4096) - dev-db/phpmyadmin < Remote code execution after successful auth (CVE-2008-4096)
Summary: dev-db/phpmyadmin < Remote code execution after successful auth (CV...
Alias: CVE-2008-4096
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa]
Depends on:
Reported: 2008-09-15 19:47 UTC by Christian Hoffmann (RETIRED)
Modified: 2009-03-18 22:32 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-09-15 19:47:04 UTC
Quoting $URL:

Code execution vulnerability

We received an advisory from Norman Hippert and we wish to thank him for his work. The server_databases.php script was vulnerable to an attack coming from a user who is already logged-on to phpMyAdmin, where he can execute shell code (if the PHP configuration permits commands like exec).

We consider this vulnerability to be serious.

Affected versions:
Versions before

Upgrade to phpMyAdmin or newer.

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-15 19:49:54 UTC
Maintainers, please bump.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:28:06 UTC
CVE-2008-4096 (
  libraries/database_interface.lib.php in phpMyAdmin before
  allows remote authenticated users to execute arbitrary code via a
  request to server_databases.php with a sort_by parameter containing
  PHP sequences, which are processed by create_function.

Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-09-20 13:39:24 UTC
Maintainers, please bump. We have a target delay of 5 days for B1 issues.
Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-21 13:42:10 UTC
phpmyadmin- is in the tree. Sorry for the delay.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-09-21 14:16:52 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 6 Brent Baude (RETIRED) gentoo-dev 2008-09-21 15:58:14 UTC
ppc done
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-09-21 16:08:47 UTC
ppc64 done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-09-21 17:46:19 UTC
alpha/sparc/x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-09-22 03:22:29 UTC
Stable for HPPA.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-23 18:58:10 UTC
amd64 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-23 18:59:55 UTC
All arches done, request filed.
Comment 12 Gunnar Wrobel (RETIRED) gentoo-dev 2008-09-29 07:59:03 UTC
Removed phpmyadmin-2.11.8, - webapps done
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-18 22:32:00 UTC
GLSA 200903-32