FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpmyadmin -- register_globals emulation "import_blacklist" manipulation

Affected packages
phpMyAdmin <


VuXML ID 23afd91f-676b-11da-99f6-00123ffe8333
Discovery 2005-12-07
Entry 2005-12-07

Secunia reports:

Stefan Esser has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system.

The vulnerability is caused due to an error in the register_globals emulation layer in "grab_globals.php" where the "import_blacklist" variable is not properly protected from being overwritten. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site, and include arbitrary files from external and local resources.