漏洞类别:CGI
漏洞等级: 
漏洞信息
phpMyAdmin is a free software tool written in PHP and intended to handle the administration of MySQL over the Internet.
PMASA-2016-27: The vulnerability exists because the affected versions fail to handle null termination of the preg_replace() string parameter, when received as part of the table search and replace feature. A remote attacker could exploit this vulnerability by passing malicious parameters to the preg_replace() function, executing arbitrary PHP code on the targeted system.
PMASA-2016-23: By specially crafting requests to the Setup script and the example OpenID authentication script, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.
Affected Versions:
phpMyAdmin 4.6.x before 4.6.3
phpMyAdmin 4.4.x versions before 4.4.15.7
phpMyAdmin 4.0.x versions before 4.0.10.16
漏洞危害
Successful exploitation allows remote attackers to execute arbitrary PHP code a targeted server.
解决方案
Users are advised to upgrade to the latest version of phpMyAdmin.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论