Main Vulnerability Database SB2013042802

SB2013042802 - Fedora EPEL 5 update for phpMyAdmin3

Published: April 28, 2013 Updated: April 24, 2025

Security Bulletin ID SB2013042802

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2013-3238)

The vulnerability allows a remote #AU# to read and manipulate data.

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /ex00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.

2) Code Injection (CVE-ID: CVE-2013-3239)

The vulnerability allows a remote #AU# to read and manipulate data.

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2013-5620