phpMyAdmin updates patch critical holes
The phpMyAdmin developers have released versions 126.96.36.199 and 188.8.131.52 of their database administration tool; these are security updates that fix a total of four security holes. Rated as "highly critical" by Secunia, the vulnerabilities include a session manipulation bug in Swekey authentication that could be exploited to overwrite session variables, a possible code injection hole in the setup script and a regular expression quoting problem in Synchronize code.
According to the developers, the above vulnerabilities could lead to the injection and execution of arbitrary code. Versions 3.4.3 and and earlier are reportedly affected – the 2.11.x branch is not affected. A directory traversal vulnerability related to the filtering of a file path in the MIME-type transformation code which affects all previous versions has also been closed. All users are advised to update to the latest versions. Alternatively, users can apply the provided patches.
Versions 184.108.40.206 and 220.127.116.11 of phpMyAdmin are available to download from the project's site. Hosted on SourceForge, phpMyAdmin is made available under version 2 of the GNU General Public License (GPLv2).
- Possible session manipulation in Swekey authentication, a phpMyAdmin security advisory.
- Possible code injection in setup script in case session variables are compromised, a phpMyAdmin security advisory.
- Regular expression quoting issue in Synchronize code, a phpMyAdmin security advisory.
- Possible directory traversal, a phpMyAdmin security advisory.