CVE-2011-2505
Description
phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 allows remote attackers to manipulate the $_SESSION superglobal via a crafted query string due to unsafe use of parse_str in the Swekey authentication feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 allows remote attackers to manipulate the $_SESSION superglobal via a crafted query string due to unsafe use of parse_str in the Swekey authentication feature.
Vulnerability
The vulnerability resides in libraries/auth/swekey/swekey.auth.lib.php at lines 266–276 of phpMyAdmin 3.x versions prior to 3.3.10.2 and 3.4.x prior to 3.4.3.1 [1][2]. The code calls parse_str($_SERVER['QUERY_STRING']) without a second argument, causing every parameter and value in the query string to be assigned as variables in the current namespace. This code path is reachable when the query string contains session_to_unset [2].
Exploitation
An attacker can send a crafted HTTP request containing arbitrary parameters (e.g., session_to_unset, session_id, and any desired $_SESSION keys) to the vulnerable phpMyAdmin instance. No authentication is required. The parse_str call sets the attacker-supplied variables, and the subsequent session_write_close() saves the modified session before session_destroy() is called. Because the session is written before destruction, the attacker-controlled values persist in the session store [2].
Impact
Successful exploitation allows the attacker to arbitrarily set values in the $_SESSION superglobal. This can lead to privilege escalation, cross-site scripting (XSS), SQL injection, or remote code execution when combined with other vulnerabilities (such as CVE-2011-2506) [1][2]. The attacker effectively gains control over session data, which may bypass authentication and authorization checks.
Mitigation
The issue is fixed in phpMyAdmin versions 3.3.10.2 and 3.4.3.1, released on 2011-07-09 [1][2]. Users should upgrade to these or later versions. No workaround is documented. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 3.0, < 3.3.10.2 | 3.3.10.2 |
phpmyadmin/phpmyadminPackagist | >= 3.4, < 3.4.3.1 | 3.4.3.1 |
Affected products
50cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*+ 48 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
- (no CPE)range: >=3.0, <3.3.10.2 || >=3.4.0, <3.4.3.1
Patches
37ebd958b2bf5Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
2 files changed · +5 −3
ChangeLog+3 −0 modified@@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +3.4.3.1 (not yet released) +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 + 3.4.3.0 (2011-06-27) - bug #3311170 [sync] Missing helper icons in Synchronize - patch #3304473 [setup] Redefine a lable that was wrong
libraries/auth/swekey/swekey.auth.lib.php+2 −3 modified@@ -263,11 +263,10 @@ function open_swekey_site() } } -if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) +if (!empty($_GET['session_to_unset'])) { - parse_str($_SERVER['QUERY_STRING']); session_write_close(); - session_id($session_to_unset); + session_id($_GET['session_to_unset']); session_start(); $_SESSION = array(); session_write_close();
7ebd958b2bf5Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
2 files changed · +5 −3
ChangeLog+3 −0 modified@@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +3.4.3.1 (not yet released) +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 + 3.4.3.0 (2011-06-27) - bug #3311170 [sync] Missing helper icons in Synchronize - patch #3304473 [setup] Redefine a lable that was wrong
libraries/auth/swekey/swekey.auth.lib.php+2 −3 modified@@ -263,11 +263,10 @@ function open_swekey_site() } } -if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) +if (!empty($_GET['session_to_unset'])) { - parse_str($_SERVER['QUERY_STRING']); session_write_close(); - session_id($session_to_unset); + session_id($_GET['session_to_unset']); session_start(); $_SESSION = array(); session_write_close();
6e6e129f2629Fixed possible session corruption in swekey authentication
2 files changed · +5 −3
ChangeLog+3 −0 modified@@ -5,6 +5,9 @@ phpMyAdmin - ChangeLog $Id$ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $ +3.3.10.2 (not yet released) +- [security] Fixed possible session corruption in swekey authentication + 3.3.10.1 (2011-05-20) - [security] XSS on Tracking page
libraries/auth/swekey/swekey.auth.lib.php+2 −3 modified@@ -263,11 +263,10 @@ function open_swekey_site() } } -if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) +if (!empty($_GET['session_to_unset'])) { - parse_str($_SERVER['QUERY_STRING']); session_write_close(); - session_id($session_to_unset); + session_id($_GET['session_to_unset']); session_start(); $_SESSION = array(); session_write_close();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
29- www.phpmyadmin.net/home_page/security/PMASA-2011-5.phpnvdPatchVendor AdvisoryWEB
- ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.htmlnvdExploitWEB
- www.exploit-db.com/exploits/17514/nvdExploit
- secunia.com/advisories/45139nvdVendor Advisory
- github.com/advisories/GHSA-vqcm-r62w-w437ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-2505ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.htmlnvdWEB
- securityreason.com/securityalert/8306nvdWEB
- typo3.org/teams/security/security-bulletins/typo3-sa-2011-008ghsaWEB
- www.debian.org/security/2011/dsa-2286nvdWEB
- www.exploit-db.com/exploits/17514ghsaWEB
- www.openwall.com/lists/oss-security/2011/06/28/2nvdWEB
- www.openwall.com/lists/oss-security/2011/06/28/6nvdWEB
- www.openwall.com/lists/oss-security/2011/06/28/8nvdWEB
- www.openwall.com/lists/oss-security/2011/06/29/11nvdWEB
- github.com/phpmyadmin/composer/commit/7ebd958b2bf59f96fecd5b3322bdbd0b244a7967ghsaWEB
- github.com/phpmyadmin/phpmyadmin/commit/6e6e129f26295c83d67b74e202628a4b8bc49e54ghsaWEB
- github.com/phpmyadmin/phpmyadmin/commit/7ebd958b2bf59f96fecd5b3322bdbd0b244a7967ghsaWEB
- web.archive.org/web/20110712103138/http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txtghsaWEB
- web.archive.org/web/20111116172111/http://www.securityfocus.com/archive/1/518804/100/0/threadedghsaWEB
- web.archive.org/web/20121105034518/http://www.mandriva.com/en/support/security/advisoriesghsaWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvd
- secunia.com/advisories/45292nvd
- secunia.com/advisories/45315nvd
- typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/nvd
- www.mandriva.com/security/advisoriesnvd
- www.osvdb.org/73611nvd
- www.securityfocus.com/archive/1/518804/100/0/threadednvd
- www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txtnvd
News mentions
0No linked articles in our index yet.