phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies.

This is a version upgrade to phpMyAdmin 2.11.9.4 to fix various security bugs. (CVE-2008-2960, CVE-2008-3197, CVE-2008-1149, CVE-2008-1567, CVE-2008-1924, CVE-2008-4096, CVE-2008-4326, CVE-2008-5621, CVE-2008-5622)

This update of phpMyAdmin fixes the following bugs :

  - CVE-2008-1149: SQL injection, CSRF attacks using crafted     cookies

  - CVE-2008-1567: local users can steal session     information/credentials

  - CVE-2008-1924: in a shared host environment users with     CREAT permissions can read arbitrary files

  - CVE-2008-3456: cross-site framing attack

  - CVE-2008-3457: user-assisted XSS attack

Several remote vulnerabilities have been discovered in phpMyAdmin, an application to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-1924     Attackers with CREATE table permissions were allowed to     read arbitrary files readable by the webserver via a     crafted HTTP POST request.

  - CVE-2008-1567     The PHP session data file stored the username and     password of a logged in user, which in some setups can     be read by a local user.

  - CVE-2008-1149     Cross site scripting and SQL injection were possible by     attackers that had permission to create cookies in the     same cookie domain as phpMyAdmin runs in.

The remote host is affected by the vulnerability described in GLSA-200803-15 (phpMyAdmin: SQL injection vulnerability)

    Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable     of $_GET and $_POST as a source for its parameters.
  Impact :

    An attacker could entice a user to visit a malicious web application     that sets an 'sql_query' cookie and is hosted on the same domain as     phpMyAdmin, and thereby conduct SQL injection attacks with the     privileges of the user authenticating in phpMyAdmin afterwards.
  Workaround :

    There is no known workaround at this time.

A phpMyAdmin security announcement report :

phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.

Another application could set a cookie for the root path '/' with a 'sql_query' name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data. Mitigation factor An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.

This is a bugfix-only version containing a security fix: Remove cookies from $_REQUEST for better coexistence with other applications, thanks to Richard Cunningham. See PMASA-2008-1.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running phpMyAdmin, a web interface for administering MySQL database servers.  This version of phpMyAdmin is vulnerable to a SQL injection attack via the '$_REQUEST' variable.  An attacker exploiting this flaw would need to send a specially formatted cookie containing the attacker's SQL commands.  An attacker exploiting this flaw would be able to execute arbitrary SQL commands on the database server utilized by phpMyAdmin. 

ID	Name	Product	Family	Severity
40107	openSUSE Security Update : phpMyAdmin (phpMyAdmin-442)	Nessus	SuSE Local Security Checks	high
35449	openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5935)	Nessus	SuSE Local Security Checks	high
34813	openSUSE 10 Security Update : phpMyAdmin (phpMyAdmin-5781)	Nessus	SuSE Local Security Checks	medium
32058	Debian DSA-1557-1 : phpmyadmin - insufficient input sanitising	Nessus	Debian Local Security Checks	medium
31441	GLSA-200803-15 : phpMyAdmin: SQL injection vulnerability	Nessus	Gentoo Local Security Checks	medium
31377	FreeBSD : phpmyadmin -- SQL injection vulnerability (ce2f2ade-e7df-11dc-a701-000bcdc1757a)	Nessus	FreeBSD Local Security Checks	medium
31368	Fedora 7 : phpMyAdmin-2.11.5-1.fc7 (2008-2229)	Nessus	Fedora Local Security Checks	medium
31366	Fedora 8 : phpMyAdmin-2.11.5-1.fc8 (2008-2189)	Nessus	Fedora Local Security Checks	medium
4407	phpMyAdmin < 2.11.5 SQLi	Nessus Network Monitor	CGI	medium

Detections

Analytics

CVE-2008-1149

high

Tenable Plugins

high

high

medium

medium

medium

medium

medium

medium

medium