Update for phpMyAdmin

The developers of the widely used phpMyAdmin MySQL administration tool have released an updated version, 2.11.5, which closes an SQL injection vulnerability. Since phpMyAdmin uses the $_REQUEST variable array instead of $_GET or $_POST for reading the parameter list, it is possible on some servers for a user's cookies to become confused. This allows attackers to set their own cookies in visitors' browsers using a page on the same server. Apparently, another application can set an sql_query name for the root path via a cookie, thus overwriting the user's SQL query.

Advertisement

The developers classify this as a serious security problem. A patch is also available as an alternative to the update: this prevents cookies being contained in the $_REQUEST array. In addition to this vulnerability, the developers have also eliminated various other errors.

See also:

• SQL injection vulnerability, vulnerability report from phpMyAdmin

(mba)