CVE-2011-2505

Published: Jul 14, 2011Modified: Apr 29, 2026

6.4

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:P

Exploitability: 10.0 / Impact: 4.9

Source: NVD

Description

libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."

Affected (48)

Products: Phpmyadmin: Phpmyadmin

1 product

Configuration A

44 vulnerable

Vulnerable Software	Affected Versions
Phpmyadmin Phpmyadmin	Version 3.0.0
Phpmyadmin Phpmyadmin	Version 3.0.0 alpha
Phpmyadmin Phpmyadmin	Version 3.0.0 beta
Phpmyadmin Phpmyadmin	Version 3.0.0 rc1
Phpmyadmin Phpmyadmin	Version 3.0.1.1
Phpmyadmin Phpmyadmin	Version 3.0.1
Phpmyadmin Phpmyadmin	Version 3.0.1 rc1
Phpmyadmin Phpmyadmin	Version 3.1.0
Phpmyadmin Phpmyadmin	Version 3.1.0 beta1
Phpmyadmin Phpmyadmin	Version 3.1.1
Phpmyadmin Phpmyadmin	Version 3.1.1 rc1
Phpmyadmin Phpmyadmin	Version 3.1.2
Phpmyadmin Phpmyadmin	Version 3.1.2 rc1
Phpmyadmin Phpmyadmin	Version 3.1.3.1
Phpmyadmin Phpmyadmin	Version 3.1.3.2
Phpmyadmin Phpmyadmin	Version 3.1.3
Phpmyadmin Phpmyadmin	Version 3.1.3 rc1
Phpmyadmin Phpmyadmin	Version 3.1.4
Phpmyadmin Phpmyadmin	Version 3.1.4 rc2
Phpmyadmin Phpmyadmin	Version 3.1.5
Phpmyadmin Phpmyadmin	Version 3.1.5 rc1
Phpmyadmin Phpmyadmin	Version 3.2.0
Phpmyadmin Phpmyadmin	Version 3.2.0 beta1
Phpmyadmin Phpmyadmin	Version 3.2.0 rc1
Phpmyadmin Phpmyadmin	Version 3.2.1
Phpmyadmin Phpmyadmin	Version 3.2.1 rc1
Phpmyadmin Phpmyadmin	Version 3.2.2
Phpmyadmin Phpmyadmin	Version 3.2.2 rc1
Phpmyadmin Phpmyadmin	Version 3.3.0.0
Phpmyadmin Phpmyadmin	Version 3.3.1.0
Phpmyadmin Phpmyadmin	Version 3.3.10.0
Phpmyadmin Phpmyadmin	Version 3.3.10.1
Phpmyadmin Phpmyadmin	Version 3.3.2.0
Phpmyadmin Phpmyadmin	Version 3.3.3.0
Phpmyadmin Phpmyadmin	Version 3.3.4.0
Phpmyadmin Phpmyadmin	Version 3.3.5.0
Phpmyadmin Phpmyadmin	Version 3.3.5.1
Phpmyadmin Phpmyadmin	Version 3.3.6
Phpmyadmin Phpmyadmin	Version 3.3.7
Phpmyadmin Phpmyadmin	Version 3.3.8.1
Phpmyadmin Phpmyadmin	Version 3.3.8
Phpmyadmin Phpmyadmin	Version 3.3.9.0
Phpmyadmin Phpmyadmin	Version 3.3.9.1
Phpmyadmin Phpmyadmin	Version 3.3.9.2

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Phpmyadmin Phpmyadmin	Version 3.4.0.0
Phpmyadmin Phpmyadmin	Version 3.4.1.0
Phpmyadmin Phpmyadmin	Version 3.4.2.0
Phpmyadmin Phpmyadmin	Version 3.4.3.0

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (38)

http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html

Source: secalert@redhat.com

Exploit

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html

Source: secalert@redhat.com

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=7ebd958b2bf59f96fecd5b3322bdbd0b244a7967

Source: secalert@redhat.com

http://secunia.com/advisories/45139

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/45292

Source: secalert@redhat.com

http://secunia.com/advisories/45315

Source: secalert@redhat.com

http://securityreason.com/securityalert/8306

Source: secalert@redhat.com

http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/

Source: secalert@redhat.com

http://www.debian.org/security/2011/dsa-2286

Source: secalert@redhat.com

http://www.exploit-db.com/exploits/17514/

Source: secalert@redhat.com

Exploit

http://www.mandriva.com/security/advisories?name=MDVSA-2011:124

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/06/28/2

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/06/28/6

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/06/28/8

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2011/06/29/11

Source: secalert@redhat.com

http://www.osvdb.org/73611

Source: secalert@redhat.com

http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php

Source: secalert@redhat.com

PatchVendor Advisory

http://www.securityfocus.com/archive/1/518804/100/0/threaded

Source: secalert@redhat.com

http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt

Source: secalert@redhat.com

http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=7ebd958b2bf59f96fecd5b3322bdbd0b244a7967

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/45139

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/45292

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/45315

Source: af854a3a-2127-422b-91ae-364da2661108

http://securityreason.com/securityalert/8306

Source: af854a3a-2127-422b-91ae-364da2661108

http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2011/dsa-2286

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.exploit-db.com/exploits/17514/

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.mandriva.com/security/advisories?name=MDVSA-2011:124

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/06/28/2

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/06/28/6

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/06/28/8

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2011/06/29/11

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.osvdb.org/73611

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

http://www.securityfocus.com/archive/1/518804/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.