phpmyadmin -- multiple vulnerabilities

ID D79FC873-B5F9-11E0-89B4-001EC9578670
Type freebsd
Reporter FreeBSD
Modified 2011-07-28T00:00:00


The phpMyAdmin development team reports:

XSS in table Print view.

Via a crafted MIME-type transformation parameter, an attacker can perform a local file inclusion.

In the 'relational schema' code a parameter was not sanitized before being used to concatenate a class name. The end result is a local file inclusion vulnerability and code execution.

It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. This is very similar to PMASA-2011-5, documented in 7e4e5c53-a56c-11e0-b180-00216aa06fc2