===================================================================== CERT-Renater Note d'Information No. 2008/VULN352 _____________________________________________________________________ DATE : 16/09/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running phpMyAdmin Versions prior to 2.11.9.1. ====================================================================== http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-7 ______________________________________________________________________ phpMyAdmin security announcement PMASA-2008-7 Announcement-ID: PMASA-2008-7 Date: 2008-09-15 Summary: Code execution vulnerability Description: We received an advisory from Norman Hippert and we wish to thank him for his work. The server_databases.php script was vulnerable to an attack coming from a user who is already logged-on to phpMyAdmin, where he can execute shell code (if the PHP configuration permits commands like exec). Severity: We consider this vulnerability to be serious. Affected versions: Versions before 2.11.9.1. Solution: Upgrade to phpMyAdmin 2.11.9.1 or newer. References: http://fd.the-wildcat.de/pma_e36a091q11.php In case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================