=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN628
_____________________________________________________________________

DATE                      : 13/10/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running phpMyAdmin.

======================================================================

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4

----------------------------------------------------------------------
phpMyAdmin security announcement PMASA-2005-4

Announcement-ID: PMASA-2005-4
Date: 2005-10-11

Summary:
Local file inclusion vulnerability

Description:
In libraries/grab_globals.lib.php, the $__redirect parameter was
not correctly validated, opening the door to a local file inclusion
attack.

Severity:
We consider this vulnerability to be serious. However,
it can be exploited only on systems not running in
PHP safe mode (unless a deliberate hole was opened by
including in open_basedir some paths containing sensitive data).

Affected versions:
phpMyAdmin versions 2.6.4 and 2.6.4-pl1.

Solution:
Upgrade to phpMyAdmin 2.6.4-pl2 or newer.

For further information and in case of questions,
please contact the phpMyAdmin team. Our website is
http://www.phpmyadmin.net/.


======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================