phpMyAdmin updates close critical security holes
Versions 3.4.3.2 and 3.3.10.3 of phpMyAdmin close a total of four security holes in the open source database administration tool. According to the phpMyAdmin developers, the security releases address two "critical" vulnerabilities that could lead to possible session manipulation in swekey authentication or remote code execution. A "serious" bug that could allow an attacker to perform a local file inclusion and a "minor" cross-site scripting (XSS) hole have also been fixed.
Versions 3.4.3.1 and earlier are affected. The 2.11.x branch, which reached its end of life earlier this month, is not affected by the session manipulation hole, but may be affected by the others. All users are advised to update to the latest versions. Alternatively, users can apply the provided patches.
More details about the holes closed in the updates can be found in the project's security advisories. Versions 3.4.3.2 and 3.3.10.3 of phpMyAdmin are available to download from the project's site. Hosted on SourceForge, phpMyAdmin is made available under version 2 of the GNU General Public License (GPLv2).
See also:
- XSS in table Print view, a phpMyAdmin security advisory.
- Local file inclusion, a phpMyAdmin security advisory.
- Local file inclusion vulnerability and code execution, a phpMyAdmin security advisory.
- Possible session manipulation in swekey authentication, a phpMyAdmin security advisory.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
