I can't get the PoC to work with my settings though the error messages
indicate that it is indeed trying to include the file specified. Setting
status to upstream? pending further confirmation/fix. Web-apps please advise.
Confirmed in phpMyAdmin security announcement PMASA-2005-4 :
Local file inclusion vulnerability
In libraries/grab_globals.lib.php, the $__redirect parameter was not correctly
validated, opening the door to a local file inclusion attack.
We consider this vulnerability to be serious. However, it can be exploited only
on systems not running in PHP safe mode (unless a deliberate hole was opened by
including in open_basedir some paths containing sensitive data).
phpMyAdmin versions 2.6.4 and 2.6.4-pl1.
Upgrade to phpMyAdmin 2.6.4-pl2 or newer.
web-apps, please bump to 2.6.4-pl2
Arches please test and mark 2.6.4_p2 stable.
Stable on ppc and hppa.
Stable on alpha ( 2.6.4_p2 )
Works fine for me on x86 except for one odd thing. Clicking "log out" gives "authentication failed"
Is this something wonky on my system or can anyone reproduce?
stable on x86
Stable on amd64, sorry for the delay.