An SQL injection flaw, possibly leading to 'control user' role privilege escalation was found in the way phpMyAdmin, a tool written in PHP intended to handle the administration of MySQL over the World Wide Web, (previously) used to sanitize values of certain parameters passed to passed to selected table /storage engine content manipulation routines. A remote attacker could provide a specially-crafted web page that, when visited would lead to (attacker's) ability to inject arbitrary SQL, possibly leading into their ability to read / write tables of the configuration storage database, or read content of selected tables of the 'mysql' database. Upstream advisory: [1] http://www.phpmyadmin.net/home_page/security/PMASA-2013-15.php Relevant patches: * master: https://github.com/phpmyadmin/phpmyadmin/commit/974d0dedeea7c79ac4533e614d9c0c3abd97e8f9 https://github.com/phpmyadmin/phpmyadmin/commit/8ef025ef3d05c164654fee7001517626cf604bb1 * 3.5.x: https://github.com/phpmyadmin/phpmyadmin/commit/4cbeef599cda87c6d2b1d7ef5542fe1ff316f706 https://github.com/phpmyadmin/phpmyadmin/commit/20f71e767bcd037178cb5455543071323bc7ffd9
This issue affects the latest version of the phpMyAdmin package, as shipped with Fedora release of 18, 19, Fedora EPEL-6 and Fedora EPEL-5. Please schedule an update.
Created phpMyAdmin tracking bugs for this issue: Affects: epel-5 [bug 989674]
Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 989678] Affects: epel-6 [bug 989679]
The CVE identifier of CVE-2013-5003 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/07/30/1
phpMyAdmin-4.2.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.2.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.0.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin4-4.0.10.3-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.