New bug found in MySQL add-on utility

Users of the increasingly popular, open-source MySQL database may be at risk from remote attacks due to a bug in phpMyAdmin, a widely used Web-based MySQL administration tool.

On Wednesday the phpMyAdmin project warned of a bug in the way the tool's MIME-based transformation system handles "external" transformations. Attackers could exploit the hole to execute arbitrary commands on a Web server with the privileges of the server's user, the project said in a statement.

A patch available on the phpMyAdmin site fixes the bug.

The vulnerability can only be exploited on systems where PHP's safe mode is turned off. Danish security firm Secunia said the flaw is serious, giving it a "highly critical" ranking.

The new flaw is the most serious to have been uncovered in phpMyAdmin to date; previous bugs, including some allowing configuration manipulation, code injection and cross site scripting, have been only moderately dangerous, according to security researchers.

PhpMyAdmin has become the de facto standard for controlling MySQL databases over a Web-based interface, though it faces numerous competitors. Like MySQL it is distributed under an open-source licence.

MySQL, like some other open-source databases, has gained ground in the database market, particularly in small to medium-sized businesses, industry analysts say. Enterprises are also beginning to eye the product as an alternative to Oracle.