A variable injection vulnerability was found in phpMyAdmin, that may allow an attacker to conduct Cross-site scripting (XSS) attacks and / or perform remote file inclusion.
We received two bug reports by Maksymilian Arciemowicz about those vulnerabilities and we wish to thank him for his work. The vulnerabilities apply to those points:
We consider both vulnerabilities to be serious.
Because the theming mechanism was used to perform the remote file inclusion, only the 2.6 branch is affected. Regarding the XSS attacks, we have to assume that all versions down to 1.3.1 are affected.
CVS HEAD, QA_2_6_0 and QA_2_6_1 have been fixed. The current version, 2.6.1-pl2, should not be vulnerable, either - as long as phpMyAdmin is run with "register_globals = off".
We strongly advise everyone to upgrade to phpMyAdmin 2.6.1-pl2 or later and to disable register_globals at least for the phpMyAdmin directory.
Assigned CVE ids: CVE-2005-0567
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.