PMASA-2005-9

Announcement-ID: PMASA-2005-9

Date: 2005-12-07

Summary

Cross-Site Scripting, local and remote code execution vulnerabilities

Description

Two days after the release of version 2.7.0, we received a security advisory from Stefan Esser (sesser@hardened-php.net) and we wish to thank him for his work. It is possible to overwrite the global import_blacklist variable to open phpMyAdmin 2.7.0 to those vulnerabilities.

Severity

We consider these vulnerabilities to be serious.

Affected Versions

Only the unpatched 2.7.0 version.

Solution

Upgrade to phpMyAdmin 2.7.0-pl1 or newer.

References

http://www.hardened-php.net/advisory_252005.110.html

Assigned CVE ids: CVE-2005-4079

CWE ids: CWE-661 CWE-79 CWE-98 CWE-94

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements