A critical security hole has been discovered in PHPMyAdmin, a popular program for managing MySQL databases. The vulnerability allows an attacker to defeat the program's security scheme by overwriting key system files, which in turn enables remote file inclusion and cross-site scripting attacks. The PHPMyAdmin project has released an update that fixes the issue, which can be downloaded here. Details of the security hole and its implications are outlined in an advisory from the Hardened PHP Project, which discovered the issue during a code audit.
PHPMyAdmin is installed on many shared hosting systems to help customers manage databases for PHP applications. As a result, the security hole may be attractive to hackers, as the program's location on a system can be easily learned, and PHPMyAdmin provides access to a wide variety of web applications based on MySQL databases, including blogs, forums and content management systems.
The potential impact of the limited by the fact that it only affects version 2.7.0, which was released last week. Users who upgraded to 2.7.0 promptly are vulnerable, while systems running older versions of the software are not affected.