CVE-2005-3300

An attacker sends a crafted multipart/form-data request containing a file upload field whose name is `cfg`. Because the `_FILES` array is not protected against keys named `cfg`, the emulation layer overwrites `$cfg['ThemePath']` with an empty value and sets `$cfg['ThemeManager']` to a truthy value [ref_id=1]. The attacker also supplies a cookie (or other user-controlled input) that sets the global `theme` variable to an absolute path to a target file. When phpMyAdmin later executes `@include($cfg['ThemePath'].'/'.$GLOBALS['theme'].'/info.inc.php')`, the empty `ThemePath` prefix means the attacker-controlled absolute path is used directly, allowing inclusion of arbitrary local files [ref_id=1]. This can lead to remote code execution if the included file contains attacker-controlled content (e.g., log files).

The vulnerability resides in `grab_globals.php`, which implements a register_globals emulation layer. When the `_FILES` array is merged into the global namespace, it lacks the safety checks applied to `_GET` and `_POST` variables. Additionally, files such as `db_details_db_info.php` include `libraries/common.lib.php` (which loads `$cfg`) before `grab_globals.php` is reached via `select_lang.lib.php`, allowing configuration values to be overwritten after they are set [ref_id=1].

The advisory recommends upgrading to phpMyAdmin 2.6.4-pl3 or later [ref_id=1]. No patch diff is included in the bundle, but the fix addresses the design flaw by ensuring that the `_FILES` array receives the same safety checks as `_GET` and `_POST` during the register_globals emulation, preventing overwrite of sensitive configuration keys like `cfg`. The vendor release resolves the inclusion ordering issue so that `grab_globals.php` is always included before configuration arrays are populated.