We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work.
It was possible to trigger this attack on setup.php.
We consider this vulnerability to be serious; however, we could only trigger it when using Internet Explorer with the 'send URLs as UTF8' setting disabled. The default value of this setting being 'enabled' reduces the impact of this problem.
Probably all versions before 220.127.116.11.
Upgrade to phpMyAdmin 18.104.22.168 or newer.
Assigned CVE ids: CVE-2007-5386
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.