Users of the increasingly popular, open-source MySQL database may be at risk from remote attacks due to a bug in phpMyAdmin, a widely used Web-based MySQL administration tool. On Wednesday the phpMyAdmin project warned of a bug in the way the tool"s MIME-based transformation system handles "external" transformations. Attackers could exploit the hole to execute arbitrary commands on a Web server with the privileges of the server"s user, the project said in a statement.
A patch available on the phpMyAdmin site fixes the bug. The vulnerability can only be exploited on systems where PHP"s safe mode is turned off. Danish security firm Secunia said the flaw is serious, giving it a "highly critical" ranking. The new flaw is the most serious to have been uncovered in phpMyAdmin to date; previous bugs, including some allowing configuration manipulation, code injection and cross site scripting, have been only moderately dangerous, according to security researchers.