FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpmyadmin -- register_globals emulation "import_blacklist" manipulation

Affected packages
phpMyAdmin < 2.7.0.1

Details

VuXML ID 23afd91f-676b-11da-99f6-00123ffe8333
Discovery 2005-12-07
Entry 2005-12-07

Secunia reports:

Stefan Esser has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system.

The vulnerability is caused due to an error in the register_globals emulation layer in "grab_globals.php" where the "import_blacklist" variable is not properly protected from being overwritten. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site, and include arbitrary files from external and local resources.

References

URL http://secunia.com/advisories/17925/
URL http://www.hardened-php.net/advisory_252005.110.html
URL http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-9