phpMyAdmin tbl_rename.php Arbitrary Command Execution

2001-07-31T00:00:00
ID OSVDB:8401
Type osvdb
Reporter Carl Livitt(carl@ititc.com)
Modified 2001-07-31T00:00:00

Description

Vulnerability Description

phpMyAdmin contains a flaw that may allow a remote malicious user to execute arbitrary commands. The issue arises due to the eval() function not properly checking input within the tbl_rename.php script which can be exploited by sending a specially crafted URL to the page. It is possible that the flaw may allow remote execution of arbitrary commands within the permissions context of the web server's user and group. This could result in a loss of system integrity.

Solution Description

Upgrade to phpMyAdmin version 2.2.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround:

Comment out the eval() function within tbl_rename.php.

Short Description

phpMyAdmin contains a flaw that may allow a remote malicious user to execute arbitrary commands. The issue arises due to the eval() function not properly checking input within the tbl_rename.php script which can be exploited by sending a specially crafted URL to the page. It is possible that the flaw may allow remote execution of arbitrary commands within the permissions context of the web server's user and group. This could result in a loss of system integrity.

Manual Testing Notes

http://[victim]/phpmyadmin/tbl_rename.php?db=[dbname]&table=[dbtable]&new_name=[dbname].[tablename]2&strRenameTableOK=".passthru('cat%20/etc/passwd')."

References:

Vendor URL: http://www.phpmyadmin.net/home_page/ Related OSVDB ID: 8400 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-07/0757.html ISS X-Force ID: 6929 CVE-2001-1060 Bugtraq ID: 3121