Release date: 2011-10-17
Updated on: 2011-10-18
Affected Systems:
PhpMyAdmin 3.4.5
Description:
--------------------------------------------------------------------------------
PhpMyAdmin is written in PHP and can be used to control and operate MySQL databases on the web.
The phpmyadmin.css. php script of phpmyadminhas input verification problems. Remote attackers may exploit this vulnerability to obtain server-related sensitive information.
The js_frame parameter in phpmyadmin.css. php lacks sufficient input verification and can be exploited to leak information. If the js_frame parameter is defined as an array, the script will include the complete path in the returned error message.
<* Source: Ursu Mihail
Link: http://seclists.org/fulldisclosure/2011/Oct/690
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://example.com/path_to_phpmyadmin/phpmyadmin.css.php? Js_frame [] = right
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
PhpMyAdmin
----------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.phpmyadmin.net/home_page/security/