XSS vulnerability

PMASA-2007-5 Announcement-ID: PMASA-2007-5 Date: 2007-10-15 Summary XSS vulnerability Description We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work. It was possible to trigger this attack on setup.php. Severity We consider this vulnerability to b...

XSS vulnerabilities

PMASA-2007-4 Announcement-ID: PMASA-2007-4 Date: 2007-04-24 Updated: 2007-05-17 Summary XSS vulnerabilities Description We received an advisory from Lukasz Plonka "sp3x" SecurityReason and we wish to thank him for his work. It was possible to trigger these attacks on various scripts due to...

PHP Executor Deep Recursion Stack Overflow

PMASA-2007-3 Announcement-ID: PMASA-2007-3 Date: 2007-03-02 Summary PHP Executor Deep Recursion Stack Overflow Description Stefan Esser from the Hardened-PHP Project is publishing the Month of PHP Bugs. One of these PHP bugs can be triggered by phpMyAdmin which uses a recursive function in its...

HTTP Response Splitting vulnerability

PMASA-2007-1 Announcement-ID: PMASA-2007-1 Date: 2007-01-16 Summary HTTP Response Splitting vulnerability Description On systems running PHP 5 before 5.1.2 or PHP 4 before 4.4.2, it is possible to trigger this vulnerability by editing the cookie containing PHP's session id. This can be used to se...

XSS and Path Disclosure vulnerabilities

PMASA-2007-2 Announcement-ID: PMASA-2007-2 Date: 2007-01-16 Summary XSS and Path Disclosure vulnerabilities Description We received an advisory from Laurent Gaffié and we wish to thank him for his work. It was possible to trigger these attacks on dbcreate.php and index.php. Severity We consider...

XSS vulnerability

PMASA-2006-7 Announcement-ID: PMASA-2006-7 Date: 2006-11-17 Summary XSS vulnerability Description We received a security advisory from laurent gaffié and we wish to thank him for his work. It was possible to produce XSS via table and database comment field and through position parameter. Severity...

Path disclosure vulnerability

PMASA-2006-8 Announcement-ID: PMASA-2006-8 Date: 2006-11-17 Summary Path disclosure vulnerability Description We received a security advisory from laurent gaffié and we wish to thank him for his work. It was possible to disclose path by passing an array to several parameters. Severity We consider...

Bad IP Allow/Deny checking

PMASA-2006-9 Announcement-ID: PMASA-2006-9 Date: 2006-11-17 Summary Bad IP Allow/Deny checking Description We received a security advisory from Christian Schmidt, Peytz & Co. and we wish to thank him for his work. It was possible to get around IP-based Allow/Deny checking by faking proxy headers...

XSS vulnerability

PMASA-2006-6 Announcement-ID: PMASA-2006-6 Date: 2006-11-01 Summary XSS vulnerability Description We received a security advisory from Stefan Esser [email protected] and we wish to thank him for his work. It was possible to produce XSS via a special URL containing UTF-7 codes Severity We...

XSRF (Cross Site Request Forgery) vulnerabilities

PMASA-2006-5 Announcement-ID: PMASA-2006-5 Date: 2006-10-01 Summary XSRF Cross Site Request Forgery vulnerabilities Description We received a security advisory from Stefan Esser [email protected] and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by...

XSS vulnerability

PMASA-2006-4 Announcement-ID: PMASA-2006-4 Date: 2006-06-30 Updated: 2006-07-01 Summary XSS vulnerability Description It was possible to craft a request that contains XSS by attacking the "table" parameter. Severity We consider this vulnerability to be serious. Affected Versions Some versions...

XSRF vulnerabilities

PMASA-2006-3 Announcement-ID: PMASA-2006-3 Date: 2006-05-20 Summary XSRF vulnerabilities Description It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link. Severity Such issue is quite common in many PHP applications and users should take care...

XSS vulnerabilities

PMASA-2006-2 Announcement-ID: PMASA-2006-2 Date: 2006-05-12 Summary XSS vulnerabilities Description 1. It was possible to conduct an XSS attack with a crafted lang or theme parameter. 2. The db parameter was also vulnerable to an XSS attack. Severity We consider these vulnerabilities to be...

XSS vulnerabilities

PMASA-2006-1 Announcement-ID: PMASA-2006-1 Date: 2006-04-06 Summary XSS vulnerabilities Description It was possible to conduct an XSS attack with a direct call to some scripts under the themes directory. We wish to thank Toni Koivunen/CERT-FI for this advisory. Severity We consider these...

Cross-Site Scripting, local and remote code execution vulnerabilities

PMASA-2005-9 Announcement-ID: PMASA-2005-9 Date: 2005-12-07 Summary Cross-Site Scripting, local and remote code execution vulnerabilities Description Two days after the release of version 2.7.0, we received a security advisory from Stefan Esser [email protected] and we wish to thank him for...

XSS vulnerabilities

PMASA-2005-8 Announcement-ID: PMASA-2005-8 Date: 2005-12-05 Summary XSS vulnerabilities Description It was possible to conduct an XSS attack via the HTTPHOST variable; also, some scripts in the libraries directory that handle header generation were vulnerable to XSS. Severity We consider these...

XSS vulnerabilities

PMASA-2005-7 Announcement-ID: PMASA-2005-7 Date: 2005-11-23 Summary XSS vulnerabilities Description During the course of phpMyAdmin 2.6.4 development, some XSS vulnerabilities were fixed but were not documented here. The cookie-based login panel, the title parameter and the table creation dialog...

HTTP Response Splitting vulnerability

PMASA-2005-6 Announcement-ID: PMASA-2005-6 Date: 2005-11-15 Summary HTTP Response Splitting vulnerability Description Some scripts in phpMyAdmin are vulnerable to an HTTP Response Splitting attack. Severity We consider these vulnerabilities to be serious. However, they can only be triggered on...

(1) Local file inclusion vulnerability and (2) Cross-Site Scripting vulnerability

PMASA-2005-5 Announcement-ID: PMASA-2005-5 Date: 2005-10-22 Updated: 2005-10-25 Summary 1 Local file inclusion vulnerability and 2 Cross-Site Scripting vulnerability Description We received a security advisory from Stefan Esser [email protected] about 1. We received a security advisory from...

Local file inclusion vulnerability

PMASA-2005-4 Announcement-ID: PMASA-2005-4 Date: 2005-10-11 Summary Local file inclusion vulnerability Description In libraries/grabglobals.lib.php, the $$redirect parameter was not correctly validated, opening the door to a local file inclusion attack. Severity We consider this vulnerability to ...

Cross-Site Scripting vulnerability

PMASA-2005-3 Announcement-ID: PMASA-2005-3 Date: 2005-04-03 Summary Cross-Site Scripting vulnerability Description We received a security advisory from Oriol Torrent Santiago and we wish to thank him for his work and report. The convcharset parameter was not correctly validated, opening the door ...

Path disclosure

PMASA-2005-2 Announcement-ID: PMASA-2005-2 Date: 2005-02-26 Summary Path disclosure Description By calling some scripts that are part of phpMyAdmin in an unexpected way especially scripts in the libraries subdirectory, it is possible to trigger phpMyAdmin to display a PHP error message which...

A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks and / or perform remote file inclusion.

PMASA-2005-1 Announcement-ID: PMASA-2005-1 Date: 2005-02-25 Summary A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks and / or perform remote file inclusion. Description We received two bug reports by Maksymilian...

Two vulnerabilities were found in phpMyAdmin, that may allow command execution and file disclosure.

PMASA-2004-4 Announcement-ID: PMASA-2004-4 Date: 2004-12-13 Summary Two vulnerabilities were found in phpMyAdmin, that may allow command execution and file disclosure. Description We received a security advisory from Nicolas Gregoire exaprobe.com about those vulnerabilities and we wish to thank h...

Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks.

PMASA-2004-3 Announcement-ID: PMASA-2004-3 Date: 2004-11-18 Summary Multiple XSS vulnerability were found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting XSS attacks. Description We received a security advisory from Cedric Cochin netvigilance.com about those...

When specifying specially formatted options to external MIME transformation, an attacker can execute any shell command restricted by privileges of httpd user.

PMASA-2004-2 Announcement-ID: PMASA-2004-2 Date: 2004-10-12 Summary When specifying specially formatted options to external MIME transformation, an attacker can execute any shell command restricted by privileges of httpd user. Description phpMyAdmin allows to use MIME transformations for displayi...

When faking table with specific name, an attacker can make phpMyAdmin to execute arbitrary php code and add custom server configuration.

PMASA-2004-1 Announcement-ID: PMASA-2004-1 Date: 2004-06-29 Summary When faking table with specific name, an attacker can make phpMyAdmin to execute arbitrary php code and add custom server configuration. Description phpMyAdmin used eval function to fill some values and one parameter used there w...

Several security issues were reported to BugTraq mailing list. However most of these issues were already fixed some time ago.

PMASA-2003-1 Announcement-ID: PMASA-2003-1 Date: 2003-06-18 Summary Several security issues were reported to BugTraq mailing list. However most of these issues were already fixed some time ago. Description Reporter wrote that he found following issues within phpMyAdmin code each issue is followed...