[CVE-2 0 1 4-8 9 5 9] phpmyadmin arbitrary file include vulnerability analysis with presentation-vulnerability warning-the black bar safety net

2014-11-29T00:00:00
ID MYHACK58:62201456379
Type myhack58
Reporter 佚名
Modified 2014-11-29T00:00:00

Description

0x01 vulnerability description

phpmyadmin is a widely used mysql database management software, based on PHP development.

Latest CVE-2 0 1 4-8 9 5 9 announcement, mentioned the program several versions exist of any of the files containing the vulnerability, affected versions are as follows:

phpMyAdmin

4.0.1 – 4.0.10.6

4.1.1 – 4.1.14.7

4.2.1 – 4.2.12

0x02 patch analysis

See bobao. 3 6 0. cn mentioned on this vulnerability, so I wrote a little analysis of it, to penetration is not the idea of people an idea, but also to learn to code audit of the friend a little information.

A few days ago phpmyadmin shows the new patch.

Address here: http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php

Fix a phpmyadmin4. the x version of any file contain vulnerabilities, we look at the 4. 0 version of the patch:

https://github.com/phpmyadmin/phpmyadmin/commit/2e3f0b9457b3c8f78beb864120bd9d55617a11b5

! t01e99dbee39248ac7f. png

In the file libraries/gis/pma_gis_factory. in php the$type_lower more than a judgment. Thus we can guess that the file contains a point in$type_lower here.

0x03 vulnerability code analysis

我们 来到 libraries/gis/pma_gis_factory.php 2 9:

|

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

2 5

2 6

2 7

2 8

2 9

3 0

|

public static function factory($type)

{

the include_once './ libraries/gis/pma_gis_geometry.php';

$type_lower = via strtolower($type);

if (! file_exists('./ libraries/gis/pma_gis_' . $type_lower . '. php')) {

return false;

}

if (the include_once './ libraries/gis/pma_gis_' . $type_lower . '. php') {

switch(strtoupper($type)) {

case 'MULTIPOLYGON' :

return PMA_GIS_Multipolygon::singleton();

case 'POLYGON' :

return PMA_GIS_Polygon::singleton();

case 'MULTIPOINT' :

return PMA_GIS_Multipoint::singleton();

case 'POINT' :

return PMA_GIS_Point::singleton();

case 'MULTILINESTRING' :

return PMA_GIS_Multilinestring::singleton();

case 'LINESTRING' :

return PMA_GIS_Linestring::singleton();

case 'GEOMETRYCOLLECTION' :

return PMA_GIS_Geometrycollection::singleton();

default :

return false;

}

} else {

return false;

}

}

---|---

[1] [2] [3] [4] [5] next