Network Security News – Friday, December 09, 2005 Events
phpMyAdmin register_globals Emulation $import_blacklist Variable Overwrite
phpMyAdmin contains a flaw that may allows a variety of attacks, including cross site scripting, as well as local and remote file inclusion. This flaw exists because the application does not validate the $import_blacklist variable upon submission to numerous scripts. This may allow an attacker to overwrite the variable thus bypassing the security restrictions in place to maintain register_globals emulation. Once this variable has been manipulated, several scripts could then be used to conduct further attacks.. Read more at osvdb.org/21508