phpmyadmin -- register_globals emulation "import_blacklist" manipulation

2005-12-07T00:00:00
ID 23AFD91F-676B-11DA-99F6-00123FFE8333
Type freebsd
Reporter FreeBSD
Modified 2005-12-07T00:00:00

Description

Secunia reports:

Stefan Esser has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system. The vulnerability is caused due to an error in the register_globals emulation layer in "grab_globals.php" where the "import_blacklist" variable is not properly protected from being overwritten. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site, and include arbitrary files from external and local resources.