Bringing MySQL to the web

PMASA-2005-1

Announcement-ID: PMASA-2005-1

Date: 2005-02-25

Summary

A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks and / or perform remote file inclusion.

Description

We received two bug reports by Maksymilian Arciemowicz about those vulnerabilities and we wish to thank him for his work. The vulnerabilities apply to those points:

  1. css/phpmyadmin.css.php was vulnerable against $cfg and GLOBALS variable injections. This way, a possible attacker could manipulate any configuration parameter. Using phpMyAdmin's theming mechanism, he was able to include arbitrary files. This is especially dangerous if php is not running in safe mode.
  2. A possible attacker could manipulate phpMyAdmin's localized strings via the URL and inject harmful JavaScript code this way, which could be used for XSS attacks.

Severity

We consider both vulnerabilities to be serious.

Affected Versions

Because the theming mechanism was used to perform the remote file inclusion, only the 2.6 branch is affected. Regarding the XSS attacks, we have to assume that all versions down to 1.3.1 are affected.

Unaffected Versions

CVS HEAD, QA_2_6_0 and QA_2_6_1 have been fixed. The current version, 2.6.1-pl2, should not be vulnerable, either - as long as phpMyAdmin is run with "register_globals = off".

Solution

We strongly advise everyone to upgrade to phpMyAdmin 2.6.1-pl2 or later and to disable register_globals at least for the phpMyAdmin directory.

References

Bug 1149381 and Bug 1149383

Assigned CVE ids: CVE-2005-0567

CWE ids: CWE-661 CWE-79 CWE-94

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.