In association with heise online

04 March 2008, 11:15

Update for phpMyAdmin

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the widely used phpMyAdmin MySQL administration tool have released an updated version, 2.11.5, which closes an SQL injection vulnerability. Since phpMyAdmin uses the $_REQUEST variable array instead of $_GET or $_POST for reading the parameter list, it is possible on some servers for a user's cookies to become confused. This allows attackers to set their own cookies in visitors' browsers using a page on the same server. Apparently, another application can set an sql_query name for the root path via a cookie, thus overwriting the user's SQL query.

The developers classify this as a serious security problem. A patch is also available as an alternative to the update: this prevents cookies being contained in the $_REQUEST array. In addition to this vulnerability, the developers have also eliminated various other errors.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-734393
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit