15 Sep 20:50
phpMyAdmin code execution (CVE request)
Hi all, "- (2.11.9.1) [security] Code execution vulnerability" http://www.phpmyadmin.net/home_page/downloads.php?relnotes=1 "Welcome to this security update for phpMyAdmin 2.11.9. Details will follow on http://phpmyadmin.net." http://www.nabble.com/phpMyAdmin-2.11.9.1-is-released-td19497113.html Attached patch is the fix from upstream. Judging from that (no other information is available yet), an authenticated user can supply a crafted sort_by parameter to server_databases.php, which will be turned in to executed PHP code because it is passed into create_function(). It is present at least since 2.9.1. I would like to have a CVE id to refer to this issue. Thijs
RSS Feed