#VU45320 Input validation error in phpMyAdmin - CVE-2011-0987

Cybersecurity Help s.r.o.

Published: 2011-02-15 | Updated: 2020-08-11

Vulnerability identifier: #VU45320

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2011-0987

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
phpMyAdmin
Web applications / Remote management & hosting panels

Vendor: phpMyAdmin

Description

The vulnerability allows a remote #AU# to read and manipulate data.

The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin 2.11.x before 2.11.11.3, and 3.3.x before 3.3.9.2, does not properly restrict bookmark queries, which makes it easier for remote authenticated users to trigger another user's execution of a SQL query by creating a bookmark.

Mitigation
Install update from vendor's website.

Vulnerable software versions

phpMyAdmin: 2.11.0 - 2.11.11.2, 3.0.0 - 3.0.1.1, 3.1.0 - 3.1.5, 3.2.0 - 3.2.2, 3.3.0.0 - 3.3.9.1

External links
https://lists.fedoraproject.org/pipermail/package-announce/2011-February/054349.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-February/054355.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-March/054525.html
https://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=a5464b4daff0059cdf8c9e5f4d54a80e2dd2a5b0
https://secunia.com/advisories/43324
https://secunia.com/advisories/43391
https://secunia.com/advisories/43478
https://www.debian.org/security/2011/dsa-2167
https://www.mandriva.com/security/advisories?name=MDVSA-2011:026
https://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php
https://www.securityfocus.com/bid/46359
https://www.vupen.com/english/advisories/2011/0381
https://www.vupen.com/english/advisories/2011/0385
https://www.vupen.com/english/advisories/2011/0409
https://www.vupen.com/english/advisories/2011/0512
https://www.vupen.com/english/advisories/2011/0570
https://exchange.xforce.ibmcloud.com/vulnerabilities/65390

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in phpMyAdmin