[UNIX] phpMyAdmin Multiple Vulnerabilities (Path Disclosure, Response Splitting)
From: SecuriTeam (support_at_securiteam.com)
Date: 11/15/05
- Previous message: SecuriTeam: "[UNIX] Cyphor SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Nov 2005 15:36:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpMyAdmin Multiple Vulnerabilities (Path Disclosure, Response Splitting)
------------------------------------------------------------------------
SUMMARY
<http://www.phpmyadmin.net/> phpMyAdmin is "a tool written in PHP
intended to handle the administration of MySQL over the Web. Currently it
can create and drop databases, create/drop/alter tables, delete/edit/add
fields, execute any SQL statement, manage keys on fields".
Multiple security vulnerabilities have been found in phpMyAdmin, these
range from full path disclosure to allowing attackers to preform HTTP
response splitting.
DETAILS
Vulnerable Systems:
* phpMyAdmin version 2.7.0-beta1
Full Path Disclosures in the following files:
libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_query_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.php
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php
(get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/display_tbl_links.lib.php
(display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/display_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
libraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php
(charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
libraries/sqlvalidator.lib.php
(libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.php
(libraries/auth/cookie.auth.lib.php?coming_from_common=true)
HTTP Response Splitting in libraries/header_http.inc.php:
The script doesn't check for direct access. If register_globals is on, it
is possible for a remote attacker to cause HTTP response splitting.
Impact:
A remote attacker could exploit this to learn installation paths on
server. The HTTP Response splitting vulnerability can lead to user
compromise amongst other things.
ADDITIONAL INFORMATION
The information has been provided by <mailto:toni.koivunen@fitsec.com>
Toni Koivunen.
The original article can be found at:
<http://www.fitsec.com/advisories/FS-05-02.txt>
http://www.fitsec.com/advisories/FS-05-02.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Cyphor SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] phpBB HTTP Response Splitting and Cross Site Scripting Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is prone to cross-site scripting
and HTTP response splitting ... These vulnerabilities may allow an attacker to perform
various attacks ... sensitive user information and perform cross-site scripting attacks.
... (Securiteam) - [NEWS] Detecting and Testing HTTP Response Splitting Using Browser Cookies Alert
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The HTTP Response Splitting
attack is quite unique in the sense that it is ... browsers can be configured to pop-up an
alert when a cookie is received ... alert, it's possible to monitor when and if
such cookie is received. ... (Securiteam) - [UNIX] Rrdbrowse Arbitrary File Disclosure Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Rrdbrowse Arbitrary File Disclosure
Vulnerability ... validation in rrdbrowser a remote attacker can cause the program
to ... (Securiteam) - [NT] Virtual Programming VP-ASP Shopping Cart Multiple SQL Injection Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SQL Injection Vulnerability
in 'shopsearch.asp' Script ... Exploitation of the vulnerability allows a remote attacker
to insert a new ... S-Quadra alerted VP-ASP development team to this issue on 28th November
... (Securiteam) - [UNIX] MySQL MaxDB Web Agent Multiple DoS Vulnerabilities (sapdbwa_GetUserData)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... MaxDB by MySQL is "a re-branded
... The second vulnerability is due to insufficient handling of malformed HTTP ...
A remote attacker can submit a HTTP request with invalid headers ... (Securiteam)
