HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2006-44
Multiple Vulnerabilities in Linux

Original issue date: November 27, 2006

Severity Rating: Medium

Systems Affected

  • GNU tar 1.15 and 1.16
  • NukeAI (module for PHP-Nuke) version 0.0.3 Beta and prior
  • phpMyAdmin 2.9.0 and prior

Overview

Multiple vulnerabilities have been reported in linux which could be exploited by remote attackers to cause cross-site request forgery (CSRF) or execute arbitrary commands on the affected system.

Description

1. NukeAI Module for PHP-Nuke "AIbasedir" Variable Remote File Inclusion Vulnerability

A vulnerability has been reported in NukeAI (module for PHP-Nuke) due to an input validation error in the "util.php" script that does not validate the "AIbasedir" parameter. This could be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the web server.

2. PHPMyAdmin Multiple cross-site scripting Vulnerability ( CVE-2006-5116 )

Multiple vulnerabilities have been reported in PHPMyAdmin due to the input validation error. A remote attacker could exploit the vulnerability to bypass the cross-site request forgery (CSRF) protection by tricking the browser of a phpMyAdmin user to execute any kind of SQL queries on the victim's database server.

3. GNU Tar Remote directory traversal vulnerability

A vulnerability has been reported in GNU Tar while processing malicious achieves. A remote attacker could place or overwrite malicious files on the affected system at different locations with the privilege of user running the vulnerable application.

Solution

Apply appropriate patches suggested by vendor

References

FrSIRT
http://www.frsirt.com/english/advisories/2006/4702

SecurityFocus
http://www.securityfocus.com/bid/21235/info http://www.securityfocus.com/bid/20253/info

CVE Name
CVE-2006-5116

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003