PMASA-2010-3

Announcement-ID: PMASA-2010-3

Date: 2010-01-15

Updated: 2010-01-27

Summary

Unsafe usage of unserialize function.

Description

phpMyAdmin used the unserialize() PHP function on potentially unsafe data in setup script, what could be potentially used for XSRF attack, which can lead to code execution.

Severity

We consider these vulnerabilities to be critical.

Affected Versions

For 2.11.x: versions before 2.11.10 are affected.

Unaffected Versions

3.x releases are not affected.

Solution

Upgrade to phpMyAdmin 3.0.0 or 2.11.10.

References

We wish to thank to Thomas Biege and Sebastian Krahmer for pointing out this issue.

Assigned CVE ids: CVE-2009-4605

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made on the 2.11 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements