[UNIX] phpMyAdmin Multiple Vulnerabilities (Path Disclosure, Response Splitting)

• Previous message: SecuriTeam: "[UNIX] Cyphor SQL Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Nov 2005 15:36:13 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  phpMyAdmin Multiple Vulnerabilities (Path Disclosure, Response Splitting)
------------------------------------------------------------------------

SUMMARY

 <http://www.phpmyadmin.net/> phpMyAdmin is "a tool written in PHP
intended to handle the administration of MySQL over the Web. Currently it
can create and drop databases, create/drop/alter tables, delete/edit/add
fields, execute any SQL statement, manage keys on fields".

Multiple security vulnerabilities have been found in phpMyAdmin, these
range from full path disclosure to allowing attackers to preform HTTP
response splitting.

DETAILS

Vulnerable Systems:
 * phpMyAdmin version 2.7.0-beta1

Full Path Disclosures in the following files:
libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_query_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.php
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php
(get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/display_tbl_links.lib.php
(display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/display_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
libraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php
(charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
libraries/sqlvalidator.lib.php
(libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.php
(libraries/auth/cookie.auth.lib.php?coming_from_common=true)

HTTP Response Splitting in libraries/header_http.inc.php:
The script doesn't check for direct access. If register_globals is on, it
is possible for a remote attacker to cause HTTP response splitting.

Impact:
A remote attacker could exploit this to learn installation paths on
server. The HTTP Response splitting vulnerability can lead to user
compromise amongst other things.

ADDITIONAL INFORMATION

The information has been provided by <mailto:toni.koivunen@fitsec.com>
Toni Koivunen.
The original article can be found at:
<http://www.fitsec.com/advisories/FS-05-02.txt>
http://www.fitsec.com/advisories/FS-05-02.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Cyphor SQL Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]