Weblabor

About this recent message
http://www.securityfocus.com/archive/1/419709/30/0/threaded

I replied:

"We don't think that this is a real problem. The server_privileges.php script checks at the beginning if the user is privileged. So, for this attack to work, the victim's phpMyAdmin installation would have to be set as to allow any user to auto-login as a privileged user. If this is the case, this phpMyAdmin installation is wide open to any action, and this has to be fixed by the person who installed phpMyAdmin. "

Marc Delisle
phpMyAdmin team