Announcement-ID: PMASA-2008-1
Date: 2008-03-01
Updated: 2008-03-03
SQL injection vulnerability (Delayed Cross Site Request Forgery)
We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $$_REQUEST superglobal as a source for its parameters, instead of $$_GET and $$_POST superglobals. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $$_REQUEST superglobal imports first GET, then POST then COOKIE data.
We consider this vulnerability to be serious.
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.
Versions before 2.11.5.
Upgrade to phpMyAdmin 2.11.5 or newer, where $$_REQUEST is rebuilt to not contain cookies.
Assigned CVE ids: CVE-2008-1149
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.