PHP is a train wreck, a design disaster. String interpolation is good for casual scripting, but it has *no* business on a web-facing server.
Lack of strong typing only makes matters worse.
Not to stop with the stupidity of string interpolation, PHP designers decided that an Eval function would be a good idea. Yeah!
The only thing which could possibly be more stupid - securitywise - would be to include "eval" functionality hidden behind some obscure parameter in some method. Thankfully nobody is *that* stupid.
Oh wait: (from http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php ): e (PREG_REPLACE_EVAL)
If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, evaluates it as PHP code , and uses the result for replacing the search string.
Nice!
phpMyAdmin itself is a disaster. Always was. Countless sites has been compromised through this inferior product. Built upon a language which was an accident from the start.
Kludges and patches do not hide the fact that it is a pig. With a lot of lipstick.
Developers of the open-source phpMyAdmin have released a new version to patch several “highly critical” vulnerabilities that can be used to compromise a vulnerable system.
The vulnerabilities affect all versions of phpMyAdmin prior to 3.3.10.2 and 3.4.3.1, according to an advisory from Secunia.
phpMyAdmin is a widely used software tool that handles the administration of one or more MySQL servers over the web.
Some basic details on the security problems:
- An error within the “Swekey_login()” function in libraries/auth/swekey/swekey.auth.lib.php can be exploited to overwrite session variables and e.g. inject and execute arbitrary PHP code.
- Input passed to the “PMA_createTargetTables()” function in libraries/server_synchronize.lib.php is not properly sanitised before calling the “preg_replace()” function with the “e” modifier. This can be exploited to execute arbitrary PHP code via URL-encoded NULL bytes.
- Input passed to the “PMA_displayTableBody()” function in libraries/display_tbl.lib.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal sequences.
Secunia said a weakness in setup scripts, which could lead to arbitrary PHP code injection if session variables are overwritten, was also addressed.
phpMyAdmin users are urged to immediately update to version 3.3.10.2 or 3.4.3.1.
