GoogleOSV:GHSA-VQCM-R62W-W437phpMyAdmin remote variable manipulation
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a “remote variable manipulation vulnerability.”
References
ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html
securityreason.com/securityalert/8306
typo3.org/teams/security/security-bulletins/typo3-sa-2011-008
www.debian.org/security/2011/dsa-2286
www.exploit-db.com/exploits/17514
www.openwall.com/lists/oss-security/2011/06/28/2
www.openwall.com/lists/oss-security/2011/06/28/6
www.openwall.com/lists/oss-security/2011/06/28/8
www.openwall.com/lists/oss-security/2011/06/29/11
www.phpmyadmin.net/home_page/security/PMASA-2011-5.php
github.com/phpmyadmin/composer
github.com/phpmyadmin/composer/commit/7ebd958b2bf59f96fecd5b3322bdbd0b244a7967
github.com/phpmyadmin/phpmyadmin/commit/6e6e129f26295c83d67b74e202628a4b8bc49e54
github.com/phpmyadmin/phpmyadmin/commit/7ebd958b2bf59f96fecd5b3322bdbd0b244a7967
nvd.nist.gov/vuln/detail/CVE-2011-2505
web.archive.org/web/20110712103138/www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
web.archive.org/web/20111116172111/www.securityfocus.com/archive/1/518804/100/0/threaded
web.archive.org/web/20121105034518/www.mandriva.com/en/support/security/advisories?name=MDVSA-2011:124
Related
