Vulnerability CVE-2005-4349


Published: 2005-12-19   Modified: 2012-02-12

Description:
** DISPUTED ** SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450.

See advisories in our WLB2 database:
Topic
Author
Date
Low
phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.
lwang
18.12.2005

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Phpmyadmin -> Phpmyadmin 

 References:
http://marc.info/?l=bugtraq&m=113486637512821&w=2
http://securityreason.com/securityalert/270
http://www.securityfocus.com/archive/1/419829/100/0/threaded
http://www.securityfocus.com/archive/1/419832/100/0/threaded
http://www.vupen.com/english/advisories/2005/2995

Copyright 2022, cxsecurity.com

 

Back to Top