CVE-2011-2505: Improper Control of Generation of Code ('Code Injection')
(updated )
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a “remote variable manipulation vulnerability.”
References
- ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
- lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html
- securityreason.com/securityalert/8306
- typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/
- www.debian.org/security/2011/dsa-2286
- www.exploit-db.com/exploits/17514/
- www.openwall.com/lists/oss-security/2011/06/28/2
- www.openwall.com/lists/oss-security/2011/06/28/6
- www.openwall.com/lists/oss-security/2011/06/28/8
- www.openwall.com/lists/oss-security/2011/06/29/11
- www.phpmyadmin.net/home_page/security/PMASA-2011-5.php
- github.com/advisories/GHSA-vqcm-r62w-w437
- github.com/phpmyadmin/composer/commit/7ebd958b2bf59f96fecd5b3322bdbd0b244a7967
- github.com/phpmyadmin/phpmyadmin/commit/6e6e129f26295c83d67b74e202628a4b8bc49e54
- github.com/phpmyadmin/phpmyadmin/commit/7ebd958b2bf59f96fecd5b3322bdbd0b244a7967
- nvd.nist.gov/vuln/detail/CVE-2011-2505
- web.archive.org/web/20110712103138/http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
- web.archive.org/web/20111116172111/http://www.securityfocus.com/archive/1/518804/100/0/threaded
- web.archive.org/web/20121105034518/http://www.mandriva.com/en/support/security/advisories?name=MDVSA-2011:124
Detect and mitigate CVE-2011-2505 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →