phpMyAdmin 2.6.4 and 2.6.4-pl1 Local file inclusion vulnerability

[thewishbone]

Hi i read this and i want to know if we have to upgrade to the new verion of PHPMyAdmin 2.6.4-pl2:

Announcement-ID: PMASA-2005-4
Date: 2005-10-11

Summary:
Local file inclusion vulnerability

Description:
In libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated, opening the door to a local file inclusion attack.


Severity:
We consider this vulnerability to be serious. However, it can be exploited only on systems not running in PHP safe mode (unless a deliberate hole was opened by including in open_basedir some paths containing sensitive data).

Affected versions:
phpMyAdmin versions 2.6.4 and 2.6.4-pl1.

Solution:
Upgrade to phpMyAdmin 2.6.4-pl2 or newer.

[Website Rob]

All depends on your Server security by the looks of things.

Just more good reasons why always running PHP in 'safe_mode' and 'open_basedir' restrictions turned ON, just makes a whole lotta sense.

[thewishbone]

And how we know if really needs to do it? we try this bug...and works

thanks

[chirpy]

You need to follow the cPanel changelog, this has been incorporated into the release tree (have a look on http://layer1.cpanel.net).

Do bear in mind that to run phpmyadmin that comes with cPanel you do need to have a valid cPanel login to access it.

[PvUtrix]

phpMyAdmin 2.6.4-pl3 has been released with the following bugfix among others,
Security fixes: local file inclusion and XSS
http://www.phpmyadmin.net/home_page/...php?relnotes=0

Vote for it on bugzilla so cPanel updates it
http://bugzilla.cpanel.net/show_bug.cgi?id=3429