Re: [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion

From: Calum Power (enune_at_fribble.net)
Date: 02/26/05

  • Next message: Thierry Carrez: "[ GLSA 200502-30 ] cmd5checkpw: Local password leak vulnerability" 
    Date: Sat, 26 Feb 2005 11:37:14 +1100 (EST)
To: "Maksymilian Arciemowicz" <max@jestsuper.pl>

    > This bug exist in css/phpmyadmin.css.php. You can
    > include files. Error exist in
    >
    > Code:
    > - ------
    > $tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .
    > $theme . '/css/theme_right.css.php';
    > if (@file_exists($tmp_file)) {
    > include($tmp_file);
    > } // end of include theme_right.css.php
    > - ------
    >
    > And now you can get files.
    Incorrect. This is NOT a 'remote' file inclusion(due to the file_exists
    call), unless of course the affected user is running >= PHP5.0. It is
    usually good practice to state this in an advisory. Please see Appendix L
    at http://www.php.net/manual/en/wrappers.php

    > 1.1
    > Or next include is in libraries/database_interface.lib.php
    >
    > Code:
    >
    > - ---
    > 18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] .
    > '.dbi.lib.php');
    > - ---
    Also incorrect. The call to require_once passes the absolute path
    './libraries/dbi/' before the variable is involved. This is a LOCAL file
    inclusion vulnerability.

    > - --- 5.Contact ---
    > Author: Maksymilian Arciemowicz
    > Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
    > Email: max [at] jestsuper [dot] pl
    > GPG-KEY: http://security.jestsuper.pl
    > http://securityreason.com/ Team
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.6 (FreeBSD)
    >
    > iD8DBQFCHR89znmvyJCR4zQRAtj3AJ4wxM3WEn56GNohsG3f4U8Ku+/I8wCeMWQr
    > YklTAm82iDqNu3so1uYsmEk=
    > =ko9x
    > -----END PGP SIGNATURE-----
    >

    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Nullum magnum ingenium sine mixtura dementiae fuit
    [There is no great genius without some touch of madness]
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    Calum Power
    - Cultural Jammer
    - Security Enthusiast
    - Hopeless Cynic
    enune@fribble.net
    http://www.fribble.net

  • Next message: Thierry Carrez: "[ GLSA 200502-30 ] cmd5checkpw: Local password leak vulnerability"

    Relevant Pages

    • Re: [PATCH -v2] memdup_user(): introduce
      ... Bug. ... or copy_from_useris incorrect in this ... context. ... buf = kmalloc; ...
      (Linux-Kernel)
    • Re: Getting g_wszVBRQuality property
      ... The error code is just like if the parameter type is ... I don't think you can say it is a bug for g_wszVBRQuality because the call ... not that its type is incorrect. ... You can call MS Customer Support in your country if you think it's a bug. ...
      (microsoft.public.windowsmedia.sdk)
    • Re: Initialising Variables
      ... Surely it will lead to incorrect results? ... to compute a new value for it, but you fail to do so (that's the bug. ... subtle failure that's still there in the shipped product). ... It doesn't crash. ...
      (comp.lang.c)
    • Re: [opensuse] Bug during logon
      ... I have a bug that really irritates me. ... Also I tried to set up another logon theme, ... Both the grub screen and kdm screens are normal. ... Firstly I thought that the bug appears because of incorrect settings ...
      (SuSE)
    • Re: background color not working as expected
      ... which is essentially your own mark up with some content added and ... some more bg colours and colors to show your arrangement better. ... that this was bug #46 and bug #66 at this page: ... It is definitely due to incorrect ...
      (alt.html)