phpMyAdmin updates close vulnerabilities
The phpMyAdmin developers have announced the release of version 220.127.116.11 and 18.104.22.168 of their database administration tool, security updates that fix one critical and several serious vulnerabilities. According to the developers, a critical vulnerability in the 2.11.x branch of phpMyAdmin could be used to trick the set-up script used to generate configurations by "using a crafted POST request to include arbitrary PHP code in a generated configuration file". When combined with the ability to save files on the server, this could allow unauthenticated users to execute arbitrary PHP code. The 3.x branch of phpMyAdmin is reportedly unaffected.
Additionally, the updates fix several "serious" cross-site scripting (XSS) vulnerabilities in the 2.11.x and 3.x branch that could be used to launch an XSS attack using specially crafted URLs or POST parameters. All previous versions are reportedly affected. The developers advise all users to upgrade as soon as possible.
- Insufficient output sanitizing when generating configuration file, a phpMyAdmin security advisory.
- Several XSS vulnerabilities were found in the code, a phpMyAdmin security advisory.