SQL injection via maliciously crafted cookie. Application running from the same domain as phpMyAdmin must create the cookie for phpMyAdmin to pick up to exploit this. See upstream advisory for details: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
CVE name was requested.
phpMyAdmin-2.11.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-2.11.5-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
CVE-2008-1149: phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross Site Request Forgery (CSRF) attacks by using crafed cookies.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2229 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2189