FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpMyAdmin -- Global variable scope injection

Affected packages
4.0 <= phpMyAdmin < 4.0.4.1

Details

VuXML ID 1b93f6fe-e1c1-11e2-948d-6805ca0b3d42
Discovery 2013-06-30
Entry 2013-06-30

The phpMyAdmin development team reports:

The import.php script was vulnerable to GLOBALS variable injection. Therefore, an attacker could manipulate any configuration parameter.

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.

References

CVE Name CVE-2013-4729
URL http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php