Alert: phpMyAdmin Vulnerability Discovered

Printable View

September 17th, 2008, 06:45 PM
phernandez

Alert: phpMyAdmin Vulnerability Discovered

FYI MySQL devs/admins. Looks like phpMyAdmin 2.11.9.0 and 3.0.0 RC1 have a pretty serious vulnerability. Upgrade today!

Serious vulnerability in phpMyAdmin [Update] - Heise Security

Quote:

The advisory released by the phpMyAdmin developers stated the problem was that parameters of sort_by were not escaped and an attacker, if they were already logged in, could manipulate this to call the PHP exec function and run arbitrary code. The vulnerability was discovered by Norman Hippert in 3.0.0 RC1 initially, and checking showed that previous versions were also affected.
September 18th, 2008, 05:29 AM
HTRegz

Is this really that big of an issue? How many people have access to your phpMyAdmin installation? In my case, I'm the only one who has login credentials for any of my servers... and from the article.

Quote:

an attacker, if they were already logged in, could manipulate this to call the PHP exec function and run arbitrary code.

An issue? Yes... A big issue? Not so much.
September 19th, 2008, 12:44 AM
t34b4g5

Quote:

Originally Posted by HTRegz

An issue? Yes... A big issue? Not so much.

Couldn't have said it better myself. Well the wording is better then what i was thinking of using. :p
September 19th, 2008, 07:01 PM
phernandez

Why, you... :)
September 24th, 2008, 05:21 AM
Und3ertak3r

Quote:

Originally Posted by HTRegz

Is this really that big of an issue? How many people have access to your phpMyAdmin installation? In my case, I'm the only one who has login credentials for any of my servers... and from the article.

An issue? Yes... A big issue? Not so much.

Thanks HT for putting that into perspective

(so the reality is it is a Quiet News week type of serious Issue.. )