Announcement-ID: PMASA-2008-1
Date: 2008-03-01
Updated: 2008-03-03
SQL injection vulnerability (Delayed Cross Site Request Forgery)
We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST superglobals. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data.
We consider this vulnerability to be serious.
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.
Versions before 2.11.5.
Upgrade to phpMyAdmin 2.11.5 or newer, where $_REQUEST is rebuilt to not contain cookies.
Assigned CVE ids: CVE-2008-1149
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.