Announcement-ID: PMASA-2005-5

Date: 2005-10-22

Updated: 2005-10-25


(1) Local file inclusion vulnerability and (2) Cross-Site Scripting vulnerability


We received a security advisory from Stefan Esser ( about (1). We received a security advisory from Tobias Klein ( about (2). We wish to thank both of them for their work.

(1) : Due to the sequence of execution in the code that gets form parameters in some scripts, it was possible to craft a special attack form that overwrites configuration parameters.

(2) : Some scripts were vulnerable to XSS attacks: left.php, queryframe.php and server_databases.php.


We consider these vulnerabilities to be serious. However, (1) can be exploited only on systems not running in PHP safe mode (unless a deliberate hole was opened by including in open_basedir some paths containing sensitive data).

Affected Versions

We did not make an extensive verification on this. Probably all previous versions.


Upgrade to phpMyAdmin 2.6.4-pl3 or newer.


For (1):
For (2):

CWE ids: CWE-661 CWE-98 CWE-79

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is