[原文]The MIME transformation system (transformations/text_plain__external.inc.php) in phpMyAdmin 2.5.0 up to 2.6.0-pl1 allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
Gentoo Linux has released advisory GLSA 200410-14 dealing with this issue. They have advised that all phpMyAdmin users should upgrade to the latest version: # emerge sync # emerge -pv ">=dev-db/phpmyadmin-2.6.0_p2" # emerge ">=dev-db/phpmyadmin-2.6.0_p2" Please see the referenced Gentoo advisory for more information. The vendor has released phpMyAdmin 2.6.0 pl2 to address this issue. phpMyAdmin phpMyAdmin 2.0
An unspecified vulnerability in phpMyAdmin allows remote arbitrary command execution with the privileges of the web server. The issue is due to the way MIME-based transformations are handled when dealing with "external" transformations; it can only occur if PHP's safe mode is disabled. No further details have been provided.
Upgrade to version 2.6.0-pl2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.