Bringing MySQL to the web

PMASA-2005-4

Announcement-ID: PMASA-2005-4

Date: 2005-10-11

Summary

Local file inclusion vulnerability

Description

In libraries/grab_globals.lib.php, the $$__redirect parameter was not correctly validated, opening the door to a local file inclusion attack.

Severity

We consider this vulnerability to be serious. However, it can be exploited only on systems not running in PHP safe mode (unless a deliberate hole was opened by including in open_basedir some paths containing sensitive data).

Affected Versions

phpMyAdmin versions 2.6.4 and 2.6.4-pl1.

Solution

Upgrade to phpMyAdmin 2.6.4-pl2 or newer.

References

Assigned CVE ids: CVE-2005-3299

CWE ids: CWE-661 CWE-98

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.