Update for phpMyAdmin
The developers of the widely used phpMyAdmin MySQL administration tool have released an updated version, 2.11.5, which closes an SQL injection vulnerability. Since phpMyAdmin uses the $_REQUEST
variable array instead of $_GET
or $_POST
for reading the parameter list, it is possible on some servers for a user's cookies to become confused. This allows attackers to set their own cookies in visitors' browsers using a page on the same server. Apparently, another application can set an sql_query
name for the root path via a cookie, thus overwriting the user's SQL query.
The developers classify this as a serious security problem. A patch is also available as an alternative to the update: this prevents cookies being contained in the $_REQUEST
array. In addition to this vulnerability, the developers have also eliminated various other errors.
See also:
- SQL injection vulnerability, vulnerability report from phpMyAdmin
(mba)