Hello,
I found a php command execution vulnerability in scripts/setup.php
included in phpMyAdmin 2.11.10.
The vulnerability I found is similar to CVE-2009-1151
(http://www.securityfocus.com/bid/34236), but a bit different.
It affects the latest version of phpMyAdmin 2.X.
See attached file, which is a sample exploit php program
for phpMyAdmin 2.11.10. (curl library required.)
Attached exploit program creates config/config.inc.php file
on the target machine, which includes the line as below.
$cfg['Servers'][$i]['AllowDeny']['order']['a']['b'][''.phpinfo().''] = '1';
When the config.inc.php is loaded, phpinfo() will be executed.
The cause is line 521 in scripts/setup.php.
520: if ($type == 'string') {
521: $ret .= get_cfg_val($name . "['$k']", $v);
522: } elseif ($type == 'int') {
If the input array is deeply nested, the array key will not be
properly encoded nor checked.
Thanks for the report, fix has been commited to our security repository and will be released today or during weekend.