Multiple vulnerabilities in two popular open-source projects—phpMyAdmin and phpBB—could put users at risk of cross-site scripting and information disclosure attacks, security researchers warned Thursday.
According to an alert from research firm Secunia, users of the phpMyAdmin application should apply the latest versions of the application to avoid malicious hacking attacks.
The phpMyAdmin Project recommends that users upgrade to version 2.6.1-pl1, which contains fixes.
The most serious flaws could lead to arbitrary program execution if PHP safe mode is off and external transformations are activated.
Written in PHP, phpMyAdmin is a popular Web application for managing MySQL databases over the Web.
It is used by administrators to create and drop databases or to execute any SQL statement or manage keys on fields.
Separately, the phpBB Group confirmed that a gaping hole in its Web forum software could allow the disclosure of the full path to system files.
The security hole, first flagged by iDefense Inc., could allow remote attackers to view arbitrary system files under the privileges of the underlying Web server.
“Upon successful exploitation, an attacker may be able to further compromise the system by gleaning system information that would otherwise be inaccessible to the attacker,” iDefense warned.
The phpBB Group has fixed the vulnerability and is strongly recommending that users upgrade to 2.0.12.
An online alert from phpBB confirmed that one of the potential exploits addressed in the upgrade “could be serious in certain situations and thus we urge all users to upgrade to this release as soon as possible,” the phpBB Group said in its advisory.
In December, users of the freely distributed phpBB software fell victim to worm attacks that led to site defacements.