Security Flaws Haunt Open-Source Projects

High-risk vulnerabilities are flagged and fixed in phpMyAdmin and phpBB, two popular open-source Web projects.

Multiple vulnerabilities in two popular open-source projects—phpMyAdmin and phpBB—could put users at risk of cross-site scripting and information disclosure attacks, security researchers warned Thursday.

According to an alert from research firm Secunia, users of the phpMyAdmin application should apply the latest versions of the application to avoid malicious hacking attacks.

The phpMyAdmin Project recommends that users upgrade to version 2.6.1-pl1, which contains fixes.

The most serious flaws could lead to arbitrary program execution if PHP safe mode is off and external transformations are activated.

Written in PHP, phpMyAdmin is a popular Web application for managing MySQL databases over the Web.

It is used by administrators to create and drop databases or to execute any SQL statement or manage keys on fields.

Separately, the phpBB Group confirmed that a gaping hole in its Web forum software could allow the disclosure of the full path to system files.

The security hole, first flagged by iDefense Inc., could allow remote attackers to view arbitrary system files under the privileges of the underlying Web server.

/zimages/3/28571.gifRead more here about iDefense doing big business with vulnerability intelligence.

"Upon successful exploitation, an attacker may be able to further compromise the system by gleaning system information that would otherwise be inaccessible to the attacker," iDefense warned.

The phpBB Group has fixed the vulnerability and is strongly recommending that users upgrade to 2.0.12.

/zimages/3/28571.gifClick here to read more about how a vulnerability in a Web stats logging application compromised, home of the popular Web forum software PhpBB.

An online alert from phpBB confirmed that one of the potential exploits addressed in the upgrade "could be serious in certain situations and thus we urge all users to upgrade to this release as soon as possible," the phpBB Group said in its advisory.

In December, users of the freely distributed phpBB software fell victim to worm attacks that led to site defacements.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.