SQL injection vulnerability (Delayed Cross Site Request Forgery)

PMASA-2008-1

Announcement-ID: PMASA-2008-1

Date: 2008-03-01

Updated: 2008-03-03

Summary

SQL injection vulnerability (Delayed Cross Site Request Forgery)

Description

We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $$_REQUEST superglobal as a source for its parameters, instead of $$_GET and $$_POST superglobals. This means that on most servers, a cookie with the same name as one of phpMyAdmin’s parameters can interfere.

Another application could set a cookie for the root path “/” with a “sql_query” name, therefore overriding the user-submitted sql_query because by default, the $$_REQUEST superglobal imports first GET, then POST then COOKIE data.

Severity

We consider this vulnerability to be serious.

Mitigation factor

An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.

Affected Versions

Versions before 2.11.5.

Solution

Upgrade to phpMyAdmin 2.11.5 or newer, where $$_REQUEST is rebuilt to not contain cookies.

References

Assigned CVE ids: CVE-2008-1149

CWE ids: CWE-661 CWE-89

Patches

The following commits have been made to fix this issue:

• c57b39bed91f06d574a95d8a5a091e5e59492d69

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.