Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: Version 4.11.1 and below
Vulnerability Type: Directory Traversal, Code Injection
References: PMASA-2011-5, PMASA-2011-6, PMASA-2011-7, PMASA-2011-8
Release Date: 06.07.2011
It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. Because an unsanitized key from the Servers array is written in a comment of the generated config, an attacker can modify this key by modifying the SESSION superglobal array. This allows the attacker to close the comment and inject code.
Through a possible bug in PHP, a null byte can truncate the pattern string allowing an attacker to inject the /e modifier causing the preg_replace function to execute its second argument as PHP code.
Filtering of a file path in the MIME-type transformation code, which allowed for directory traversal has been fixed.
Solution: An updated version 4.11.2 is available from the TYPO3 extension manager and attypo3.org/extensions/repository/view/phpmyadmin/4.11.2/. Users of the extension are advised to update the extension as soon as possible.
The TYPO3 Security Team requests TYPO3 administrators to consider our advice from TYPO3-SA-2009-015 to either use extension phpMyAdmin only on development servers or to use the phpMyAdmin standalone application on production servers.
This advice is also relevant in context of the TYPO3 Security Team not being informed about this security fix by the extension maintainer. Therefore, the TYPO3 Security Team cannot guarantee to publish advisories along with future security fixes released by the extension maintainer.
Credits: Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.