PMASA-2008-1
Announcement-ID: PMASA-2008-1
Date: 2008-03-01
Updated: 2008-03-03
Summary
SQL injection vulnerability (Delayed Cross Site Request Forgery)
Description
We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $$_REQUEST superglobal as a source for its parameters, instead of $$_GET and $$_POST superglobals. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $$_REQUEST superglobal imports first GET, then POST then COOKIE data.
Severity
We consider this vulnerability to be serious.
Mitigation factor
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.
Affected Versions
Versions before 2.11.5.
Solution
Upgrade to phpMyAdmin 2.11.5 or newer, where $$_REQUEST is rebuilt to not contain cookies.
References
Assigned CVE IDs: CVE-2008-1149
Patches
The following commits have been made to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.