I was a little bit bored during the last days, so I had a few glimpses on phpMyAdmin's source code. I was able to find a design flaw, that again allows the inclusion of an arbitrary local file. Unlike the very bad experience with a bunch of vendors during the last months, it was a pleasure to work together with a vendor, that takes reported security holes seriously.

The result of my research is available at the usual place over at the Hardened-PHP Project.

Ohh well just as a sidenotice: You are of course not vulnerable to this vulnerability if you are running with our Hardening-Patch installed.

Update: The phpMyAdmin developers have also released a security notice, and placed a link to us in it. This is nice. Other vendors f.e. thanked us, by removing us from their "library of approved external(?) resources", after we disclosed holes in their stuff. (Well another explanation would be, that the person behind this just does not want to link to anything else, than his own commercial services).