phpMyAdmin 'what'参数本地文件包含漏洞

2013-04-28T00:00:00
ID SSV:60771
Type seebug
Reporter Root
Modified 2013-04-28T00:00:00

Description

BUGTRAQ ID: 59462 CVE(CAN) ID: CVE-2013-3240

phpmyadmin是MySQL数据库的在线管理工具,主要功能包括在线创建数据表、运行SQL语句、搜索查询数据以及导入导出数据等。

phpMyAdmin 4.0.0-rc3之前版本的Exprot功能存在目录遍历漏洞,经过身份验证的远程用户通过指定特制导出类型的参数,利用此漏洞可以包含任意文件,导致任意代码执行。 Php script "export.php" line 20: ``` ------------------------[ source code start ]---------------------------------- foreach ($_POST as $one_post_param => $one_post_value) { $GLOBALS[$one_post_param] = $one_post_value; }

PMA_Util::checkParameters(array('what', 'export_type'));

// export class instance, not array of properties, as before $export_plugin = PMA_getPlugin( "export", $what, 'libraries/plugins/export/', array( 'export_type' => $export_type, 'single_table' => isset($single_table) ) ); ------------------------[ source code end ]------------------------------------ ``` 显然 what参数是用作二次参数给PMA_getPlugin()的

Php script "libraries/plugin_interface.lib.php" line 20: ------------------------[ source code start ]---------------------------------- function PMA_getPlugin( $plugin_type, $plugin_format, $plugins_dir, $plugin_param = false ) { $GLOBALS['plugin_param'] = $plugin_param; $class_name = strtoupper($plugin_type[0]) . strtolower(substr($plugin_type, 1)) . strtoupper($plugin_format[0]) . strtolower(substr($plugin_format, 1)); $file = $class_name . ".class.php"; if (is_file($plugins_dir . $file)) { include_once $plugins_dir . $file; ------------------------[ source code end ]------------------------------------ 没有过滤 ,造成文件包含和目录遍历