GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Mar 09, 2008 9:26 pm Post subject: [ GLSA 200803-15 ] phpMyAdmin: SQL injection vulnerability |
|
|
Gentoo Linux Security Advisory
Title: phpMyAdmin: SQL injection vulnerability (GLSA 200803-15)
Severity: low
Exploitable: local
Date: March 09, 2008
Bug(s): #212000
ID: 200803-15
Synopsis
A SQL injection vulnerability has been discovered in phpMyAdmin.
Background
phpMyAdmin is a free web-based database administration tool.
Affected Packages
Package: dev-db/phpmyadmin
Vulnerable: < 2.11.5
Unaffected: >= 2.11.5
Architectures: All supported architectures
Description
Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable of $_GET and $_POST as a source for its parameters.
Impact
An attacker could entice a user to visit a malicious web application that sets an "sql_query" cookie and is hosted on the same domain as phpMyAdmin, and thereby conduct SQL injection attacks with the privileges of the user authenticating in phpMyAdmin afterwards.
Workaround
There is no known workaround at this time.
Resolution
All phpMyAdmin users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.11.5" |
References
CVE-2008-1149
Last edited by GLSA on Sat Jan 10, 2009 4:19 am; edited 2 times in total |
|