phpMyAdmin updates close vulnerabilities
The phpMyAdmin developers have announced the release of version 3.3.5.1 and 2.11.10.1 of their database administration tool, security updates that fix one critical and several serious vulnerabilities. According to the developers, a critical vulnerability in the 2.11.x branch of phpMyAdmin could be used to trick the set-up script used to generate configurations by "using a crafted POST request to include arbitrary PHP code in a generated configuration file". When combined with the ability to save files on the server, this could allow unauthenticated users to execute arbitrary PHP code. The 3.x branch of phpMyAdmin is reportedly unaffected.
Additionally, the updates fix several "serious" cross-site scripting (XSS) vulnerabilities in the 2.11.x and 3.x branch that could be used to launch an XSS attack using specially crafted URLs or POST parameters. All previous versions are reportedly affected. The developers advise all users to upgrade as soon as possible.
Version 3.3.5.1 and 2.11.10.1 of phpMyAdmin are available to download from the project's site. phpMyAdmin is licensed under version 2 of the GNU General Public License (GPLv2).
See also:
- Insufficient output sanitizing when generating configuration file, a phpMyAdmin security advisory.
- Several XSS vulnerabilities were found in the code, a phpMyAdmin security advisory.
(crve)