ID CVE-2008-7252
Summary libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors.
References
Vulnerable Configurations
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6:rc1
  • phpMYAdmin 2.11.9.4
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.4
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5:rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.8
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7
  • phpMYAdmin 2.11.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0beta1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0beta1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0rc1
  • phpMYAdmin 2.11.5.2
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.2
  • phpMYAdmin 2.11.7.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.7.0
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4rc1
  • phpMYAdmin 2.11.2.1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.1
  • phpMYAdmin 2.11.5.1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6
  • phpMYAdmin 2.11.1.1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.1
  • phpMYAdmin 2.11.9.3
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.3
  • phpMYAdmin 2.11.9.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.0
  • phpMYAdmin 2.11.6.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.6.0
  • phpMYAdmin 2.11.9.1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2
  • phpMYAdmin 2.11.2.2
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.2
  • phpMYAdmin 2.11.2.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.2.0
  • phpMYAdmin 2.11.1.2
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.2
  • phpMYAdmin 2.11.1.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1.0
  • phpMYAdmin 2.11.5.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.5.0
  • phpMYAdmin 2.11.4.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4.0
  • phpMYAdmin 2.11.3.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3.0
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1
  • phpMYAdmin 2.11.9.2
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.2
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.1:rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:beta1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0:beta1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.4:rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:rc1
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.3:rc1
  • cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0.0
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.0.0
  • phpMYAdmin 2.11.9.5
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.5
  • phpMYAdmin 2.11.9.6
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.11.9.6
CVSS
Base: 10.0 (as of 20-01-2010 - 08:11)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201201-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201201-01 (phpMyAdmin: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers and phpMyAdmin Security Advisories referenced below for details. Impact : Remote attackers might be able to insert and execute PHP code, include and execute local PHP files, or perform Cross-Site Scripting (XSS) attacks via various vectors. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 57433
    published 2012-01-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57433
    title GLSA-201201-01 : phpMyAdmin: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2034.NASL
    description Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-7251 phpMyAdmin may create a temporary directory, if the configured directory does not exist yet, with insecure filesystem permissions. - CVE-2008-7252 phpMyAdmin uses predictable filenames for temporary files, which may lead to a local denial of service attack or privilege escalation. - CVE-2009-4605 The setup.php script shipped with phpMyAdmin may unserialize untrusted data, allowing for cross site request forgery.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 45556
    published 2010-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45556
    title Debian DSA-2034-1 : phpmyadmin - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_PHPMYADMIN-091209.NASL
    description The use of unserialize() on POST data which could have lead to remote code execution (CVE-2009-4605) has been fixed as well as some minor temporary file issues (CVE-2008-7251, CVE-2008-7252).
    last seen 2019-02-21
    modified 2014-06-13
    plugin id 44044
    published 2010-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44044
    title openSUSE Security Update : phpMyAdmin (phpMyAdmin-1801)
refmap via4
bid 37826
confirm
debian DSA-2034
secunia
  • 38211
  • 39503
suse SUSE-SR:2010:001
vupen ADV-2010-0910
Last major update 28-01-2011 - 00:00
Published 19-01-2010 - 11:30
Back to Top