CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
84.6%
Announcement-ID: PMASA-2009-1
Date: 2009-03-24
HTTP Response Splitting and file inclusion vulnerability.
The BLOB streaming feature allowed attacker to include arbitrary files and inject HTTP headers using crafted URL parameters.
We consider this vulnerability to be critical.
For 2.11.x: not affected as it lacks BLOB streaming support.<br /> For 3.x: versions since 3.1.0.0 and before 3.1.3.1.<br />
Upgrade to phpMyAdmin 3.1.3.1 or apply patch listed below.
Thanks to Manuel Lopez Gallego (Luisyana) and Santiago RodrΓguez Collazo, who have discovered this issue and reported it to us.
Assigned CVE ids: CVE-2009-1148 CVE-2009-1149
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.