Alert: phpMyAdmin Vulnerability Discovered
Results 1 to 5 of 5

Thread: Alert: phpMyAdmin Vulnerability Discovered

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    Alert: phpMyAdmin Vulnerability Discovered

    FYI MySQL devs/admins. Looks like phpMyAdmin 2.11.9.0 and 3.0.0 RC1 have a pretty serious vulnerability. Upgrade today!

    Serious vulnerability in phpMyAdmin [Update] - Heise Security

    The advisory released by the phpMyAdmin developers stated the problem was that parameters of sort_by were not escaped and an attacker, if they were already logged in, could manipulate this to call the PHP exec function and run arbitrary code. The vulnerability was discovered by Norman Hippert in 3.0.0 RC1 initially, and checking showed that previous versions were also affected.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Is this really that big of an issue? How many people have access to your phpMyAdmin installation? In my case, I'm the only one who has login credentials for any of my servers... and from the article.

    an attacker, if they were already logged in, could manipulate this to call the PHP exec function and run arbitrary code.
    An issue? Yes... A big issue? Not so much.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Exclamation

    Quote Originally Posted by HTRegz
    An issue? Yes... A big issue? Not so much.
    Couldn't have said it better myself. Well the wording is better then what i was thinking of using.

  4. #4

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Quote Originally Posted by HTRegz
    Is this really that big of an issue? How many people have access to your phpMyAdmin installation? In my case, I'm the only one who has login credentials for any of my servers... and from the article.



    An issue? Yes... A big issue? Not so much.
    Thanks HT for putting that into perspective


    (so the reality is it is a Quiet News week type of serious Issue.. )
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Similar Threads

  1. Browser Security Test
    By therenegade in forum Web Security
    Replies: 13
    Last Post: April 1st, 2005, 09:03 AM
  2. October MS updates
    By mohaughn in forum Microsoft Security Discussions
    Replies: 2
    Last Post: October 13th, 2004, 05:31 AM
  3. Securing Windows 2000 and IIS
    By spools.exe in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 15th, 2003, 10:47 PM
  4. NEWS: SANS Critical Vulnerability Report
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: January 28th, 2003, 09:12 PM
  5. IIS Vulnerability Alert
    By xmaddness in forum Microsoft Security Discussions
    Replies: 1
    Last Post: May 8th, 2002, 02:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •