'Highly critical' flaws haunt phpMyAdmin

'Highly critical' flaws haunt phpMyAdmin

Summary: Developers of the open-source phpMyAdmin have released a new version to patch several "highly critical" vulnerabilities that can be used to compromise a vulnerable system.

SHARE:

Developers of the open-source phpMyAdmin have released a new version to patch several "highly critical" vulnerabilities that can be used to compromise a vulnerable system.

The vulnerabilities affect all versions of phpMyAdmin prior to 3.3.10.2 and 3.4.3.1, according to an advisory from Secunia.

phpMyAdmin is a widely used software tool that handles the administration of one or more MySQL servers over the web.

Some basic details on the security problems:follow Ryan Naraine on twitter

  • An error within the "Swekey_login()" function in libraries/auth/swekey/swekey.auth.lib.php can be exploited to overwrite session variables and e.g. inject and execute arbitrary PHP code.
  • Input passed to the "PMA_createTargetTables()" function in libraries/server_synchronize.lib.php is not properly sanitised before calling the "preg_replace()" function with the "e" modifier. This can be exploited to execute arbitrary PHP code via URL-encoded NULL bytes.
  • Input passed to the "PMA_displayTableBody()" function in libraries/display_tbl.lib.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences.

Secunia said a weakness in setup scripts, which could lead to arbitrary PHP code injection if session variables are overwritten, was also addressed.

phpMyAdmin users are urged to immediately update to version 3.3.10.2 or 3.4.3.1.

Topics: Software Development, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

28 comments
Log in or register to join the discussion
  • Anyone surprised

    PHP is a train wreck, a design disaster. String interpolation is good for casual scripting, but it has *no* business on a web-facing server. <br><br>Lack of strong typing only makes matters worse. <br><br>Not to stop with the stupidity of string interpolation, PHP designers decided that an <i>Eval</i> function would be a good idea. Yeah!<br><br>The only thing which could possibly be more stupid - securitywise - would be to include "eval" functionality <i>hidden</i> behind some obscure parameter in some method. Thankfully nobody is *that* stupid.<br><br>Oh wait: (from <a href="http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php" target="_blank" rel="nofollow">http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php</a>): <i>e (PREG_REPLACE_EVAL)<br>If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, <b>evaluates it as PHP code</b>, and uses the result for replacing the search string. </i><br><br>Nice! <br><br>phpMyAdmin itself is a disaster. Always was. Countless sites has been compromised through this inferior product. Built upon a language which was an accident from the start. <br><br>Kludges and patches do not hide the fact that it is a pig. With a lot of lipstick.
    honeymonster
    • I agree 100%. WebObjects is where the future is at.

      @honeymonster
      WebObjects are the best.
      woulddie4apple
      • Yeah, WebObjects has allegedly never been hacked

        @woulddie4apple <br><br>Has it ever been used? Nevermind, I hear that they throw conferences which attract a lot of people!<br><br>Just this past week-end in montreal the venue almost couldn't fit inside the double suite where it was held!<br><br>Not surprising, considering the fast pace Apple advances this revolutionary and magical technology. WebObjects are the <i>future</i>, indeed!
        honeymonster
      • RE: 'Highly critical' flaws haunt phpMyAdmin

        @woulddie4apple

        Yep I always go to a marketing and repackaging company for my software development tools.

        NOT.
        tonymcs@...
      • RE: 'Highly critical' flaws haunt phpMyAdmin

        I agree with you dude
        <br><strong><H1><a href="http://gainpips.com/xe/">XE</a></strong></H1>
        Mclooney10
      • RE: 'Highly critical' flaws haunt phpMyAdmin

        @woulddie4apple
        This was very insightful and I really enjoyed reading it.
        <H1><a href="http://www.my-pittsburghchiropractor.com">Pittsburgh Chiropractor</a></H1>
        epark732
      • RE: 'Highly critical' flaws haunt phpMyAdmin

        @woulddie4apple
        This was an excellent read, as always. Great stuff like this is what keeps me coming back.
        <strong><a href="http://www.my-seattlechiropractor.com">Seattle chiropractor</a></strong> <strong><a href="http://www.my-sanantoniochiropractor.com">San Antonio chiropractor</a></strong> <strong><a href="http://www.my-orlandochiropractor.com">Orlando chiropractor</a></strong> <strong><a href="http://www.my-nashvillechiropractor.com">Nashville chiropractor</a></strong> <strong><a href="http://www.my-chicagochiropractor.com">Chicago chiropractor</a></strong> <strong><a href="http://www.my-austinchiropractor.com">Austin chiropractor</a></strong> <strong><a href="http://www.my-atlantachiropractor.com">Atlanta chiropractor</a></strong>
        epark732
    • RE: 'Highly critical' flaws haunt phpMyAdmin

      @honeymonster

      One thing PHP does not have is lipstick - you must be thinking of OS/X which is a pig with a ton of lipstick.

      I actually like the eval function, it's a feature sadly lacking in a number of languages and you really haven't convinced me it's a security risk. The lack of strong typing is also a benefit.

      PHP is responsible for some of the most used and useful programs available on the web - Moodle for example, the widest used open source learning management system.

      No it's not perfect,, but it's useful and that is a much better way to judge it rather than some ideal programming language beauty contest.
      tonymcs@...
      • PHP = security nightmare

        @tonymcs@...<br><i>One thing PHP does not have is lipstick - you must be thinking of OS/X which is a pig with a ton of lipstick.</i><br>Magic quotes?<br>Register globals?<br>Type hinting?<br><br><i>I actually like the eval function, it's a feature sadly lacking in a number of languages and you really haven't convinced me it's a security risk.</i><br>You can go about this in two ways: pragmatically and theoretically.<br><br>Pragmatically you can investigate how a certain language feature does in terms of how useful it has proven compared to how many security problems can be attributed to it. The eval function is sadly the cause of many <b>serious</b> vulnerabilities; one evidenced right here. I happen to believe that when considering web site security, we cannot risk users being able to inject code which will execute on the server. It is *worse* than SQL injections. History tells us.<br><br>Theoretically, the eval function is an unstructured cop-out to make up for deficiencies such as lack of closures, code blocks, delegates (C# concept) and AST manipulation. As such, the eval function replaces many concepts at once. But it does so at a price: Representing code as a string is unstructured, error prone, inefficient and insecure. The usefulness of eval is not worth the risk. The problem in PHP is actually compounded by string interpolation which encourage using user supplied data to synthesize strings which is then evaluated. Eval mixes up code and data in an unhealthy way. That is *never* a good thing.<br><br>As for typing, weak typing - especially the coercing form found in PHP - is just bad. Especially for security. For instance, if a string starts with digits, PHP is actually ok with coercing it into a number. A common integer-test function will actually return "true" that it is a number. So a developer can test a variable for "numeric" and get a "true". But if he then uses the variable without quotes in an eval function or SQL query (after testing that it is numeric) the variable <b>can actually be a string with an entire injection attack</b>.

        Weak typing can be useful at times. In shell scripting it may make sense, provided that the scripts can be trusted. On a website, not so much.

        PHP is a security nightmare. It is insecure and badly designed in itself (design by accident). Worse, it lures developers down the wrong paths by making it hard to write secure code and easy to write insecure code.
        honeymonster
    • RE: 'Highly critical' flaws haunt phpMyAdmin

      Really like your blog and all!I am a Fan! <a href="http://www.rolexwatchesuk.co.uk">rolex watches</a>
      lovedong
    • RE: 'Highly critical' flaws haunt phpMyAdmin

      What a great read, thank you for sharing this. I'll be sure to check back to see if any more relevant content is posted.
      <strong><a href="http://www.my-miamichiropractor.com">Miami Chiropractor</a></strong>
      epark732
    • RE: 'Highly critical' flaws haunt phpMyAdmin

      @honeymonster

      Hi, how are you? as I worship your unique site, i would feel very honored to write a blog review about your incredible blog on my little <h1><strong><a href="http://dowjonestodaysite.org">dow jones today</a></strong></h1> Newssite would you say yes please?

      xox, Jonny
      Author of <h1><strong><a href="http://www.loseweightovernighttips.org/">Lose weight overnight</a></strong></h1>
      banaman
    • pamnichols

      Diamonds are known to be the greatest gemstone in the whole world. <a href="http://www.diamondsclarity.com/" target="_blank" rel="nofollow">http://www.diamondsclarity.com/</a><br><br>Marriages were built to last. Or so we thought. Notice how celebrity couples tie the knot so easily only to break it just as fast at it took for them to tie it? <a href="http://www.divorceact.ca/" target="_blank" rel="nofollow">http://www.divorceact.ca/</a><br><br>There are a lot of activities that you and your best friend can do on a daily basis. Whats good about it is that you can both benefit from the exercise that you need. <a href="http://www.doggames.ca/" target="_blank" rel="nofollow">http://www.doggames.ca/</a>
      gavinwray1
  • I use Plone at work and for personal use.

    Safe as can be.
    Dietrich T. Schmitz, *~* Your Linux Advocate
    • RE: 'Highly critical' flaws haunt phpMyAdmin

      I've read that Plone (based on Python) is used by governmental agencies due to its excellent safety record. Its a CMS, so it has notable competitors, and open source too. But when it comes to security, can Wordpress or Drupal measure up to that? I agree though, I've never been a fan of PHP, as it always appeared to vulnerable to injection attacks. <a href="http://www.counterstoolsnow.com">Counter Stools</a>
      decisive
  • RE: 'Highly critical' flaws haunt phpMyAdmin

    I thought open source software wasn't supposed to have gaping holes? I guess the "many eyes" theory holds no water...

    (Jus' sayin')
    The one and only, Cylon Centurion
  • RE: 'Highly critical' flaws haunt phpMyAdmin

    Tnx for sharing ! thats good info for me!
    <a href="http://www.iflexion.com/capabilities/dotnet_development.php">asp net developers</a>
    Steampower
  • RE: 'Highly critical' flaws haunt phpMyAdmin

    Why am I not at all surprised by this. Seems to be par for the course with them.
    <a href="http://www.lumpsumprofitsguide.com">Ryan Moran</a>
    krtinberg
  • It's a problem as a Wordpress user.

    Mostly because it's built using PHP but because of the security holes it makes it kind of a mixed bag. Especially if you want to build a clients website but luckily there's lots of smart people actually working on it and if you keep your eyes open and a difficult password then everything should be okay.

    <a href="http://www.wirelesshomesurveillance.net">Anthony</a>
    AnthonyMHall
  • RE: 'Highly critical' flaws haunt phpMyAdmin

    asfraf
    <a href="http://www.mynetsohbet.us">mynet sohbet</a>
    <a href="http://www.mynetsohbet.us">mynet</a>
    <a href="http://www.ciceksohbet.com">sohbet</a>
    <a href="http://www.ciceksohbet.com">Mynet Sohbet</a>
    <a href="http://www.ciceksohbet.net">sohbet siteleri</a>
    <a href="http://www.ciceksohbet.net">sohbet odalari</a>
    <a href="http://www.ciceksohbet.net">yonja</a>
    <a href="http://www.ciceksohbet.net/forum">forum siteleri</a>
    <a href="http://www.ciceksohbet.net/ankara">ankara sohbet</a>
    <a href="http://www.ciceksohbet.net/ankara">ankara chat</a>
    <a href="http://www.ciceksohbet.net/almanya">almanya sohbet</a>
    <a href="http://www.ciceksohbet.net/diziizle">dizi izle</a>
    <a href="http://www.ciceksohbet.net/istanbul">istanbul sohbet</a>
    <a href="http://mircindir.ciceksohbet.net">mirc indir</a>
    <a href="http://www.lidermirc.net">mirc indir</a>
    <a href="http://www.vaysohbet.com">sohbet</a>
    <a href="http://www.delikanlimca.com">mynet sohbet</a>
    <a href="http://www.delikanlimca.com">canli sohbet</a>
    <a href="http://www.delikanlimca.com">sohbet siteleri</a>
    <a href="http://www.vaysohbet.com">sohbet chat</a>
    <a href="http://www.vaysohbet.com">netlog</a>
    <a href="http://www.vaysohbet.com/mynet">mynet sohbet</a>
    <a href="http://www.vaysohbet.com">netlog sohbet</a>
    <a href="http://www.seviyelichat.net">chat</a>
    <a href="http://www.seviyelichat.net">seviyeli chat</a>
    <a href="http://www.seviyelichat.net">seviyeli sohbet</a>
    <a href="http://www.vaysohbet.com/adana.htm">adana sohbet</a>
    <a href="http://www.dinisohbett.net">dini sohbet</a>
    <a href="http://www.cetsiteleri.net">cet siteleri</a>
    <a href="http://www.cetsiteleri.net">cet</a>
    <a href="http://www.kumsalim.net">bayan escort</a>
    <a href="http://www.kumsalim.net">vip escort</a>
    <a href="http://www.kumsalim.net">istanbul escort</a>
    <a href="http://senolbalabantr.blogspot.com">senol balaban</a>
    <a href="http://www.kumsalim.net">ankara escort</a>
    <a href="http://www.kumsalim.net">izmir escort</a>
    <a href="http://www.kumsalim.net">escort</a>
    <a href="http://www.cetsiteleri.net/guncel/suatanlee-doktorlar-izle-spartacus-izle-dizi-izle-sacma-bana-gore.html">Suatanlee Doktorlar izle Spartacus izle Dizi izle Sa?ma Bana G?re</a>
    <a href="http://www.ankarachat.info">ankara chat</a>
    AdanaLy