The version of phpMyAdmin installed on the remote host allows an unauthenticated attacker to bypass variable blacklisting in its globalization routine and destroy, for example, the contents of session variables.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(22512);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-5116");
script_bugtraq_id(20253);
script_name(english:"phpMyAdmin < 2.9.1 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that suffers from
multiple issues.");
script_set_attribute(attribute:"description", value:
"The version of phpMyAdmin installed on the remote host allows an
unauthenticated attacker to bypass variable blacklisting in its
globalization routine and destroy, for example, the contents of
session variables.");
script_set_attribute(attribute:"see_also", value:"http://www.hardened-php.net/advisory_072006.130.html");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2006/Oct/5");
script_set_attribute(attribute:"see_also", value:"http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5");
script_set_attribute(attribute:"solution", value:
"Upgrade to phpMyAdmin version 2.9.0.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/27");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/06");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 Tenable Network Security, Inc.");
script_dependencies("phpMyAdmin_detect.nasl");
script_require_keys("www/phpMyAdmin", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80, php: 1);
# Test an install.
install = get_kb_item(string("www/", port, "/phpMyAdmin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
dir = matches[2];
# Grab index.php.
url = string(dir, "/index.php");
res = http_get_cache(item:url, port:port, exit_on_fail: 1);
# Don't check if we see an error like the one we'll try to generate.
if (
"Fatal error" >< res ||
"Call to a member function on a non-object in" >< res
) exit(0);
# Try to overwrite $_SESSION via 'libraries/grab_globals.lib.php'.
# If successful, this will lead to a fatal error later in
# 'libraries/common.lib.php'.
bound = "bound";
boundary = string("--", bound);
postdata = string(
boundary, "\r\n",
'Content-Disposition: form-data; name="_SESSION"; filename="nessus";', "\r\n",
"Content-Type: text/plain\r\n",
"\r\n",
"foo\r\n",
boundary, "--", "\r\n"
);
r = http_send_recv3(method:"POST", item: url, version: 11, port:port,
exit_on_fail: 1,
content_type: "multipart/form-data; boundary="+bound,
data: postdata);
res = r[2];
# There's a problem if we see a fatal error.
if (res && "Call to a member function on a non-object in" >< res)
security_warning(port);
# what to do if (res == NULL) (eg, error display is disable but
# app is vulnerable)???
}
Vendor | Product | Version | CPE |
---|---|---|---|
phpmyadmin | phpmyadmin | cpe:/a:phpmyadmin:phpmyadmin |