|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 270 CVE : CVE-2005-4349 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : lwang Published : 18.12.2005
Advisory Content : phpMyAdmin server_privileges.php SQL Injection Vulnerabilities. I. BACKGROUND phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. II. DESCRIPTION phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter. III. PUBLISH DATE 2005-12-7 IV. AUTHOR lwang (at) lwang (dot) org [email concealed] V. AFFECTED SOFTWARE phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be affected. The following vendors distribute vulnerable phpMyAdmin package: The FreeBSD Project Gentoo Foundation Novell, Inc. (SuSE) The Debian Project (SuSE) VI. ANALYSIS in server_privileges.php line 27: if ( isset( $dbname ) ) { //if ( preg_match( '/\\(?:_|%)/i', $dbname ) ) { if ( preg_match( '/(?<!\\)(?:_|%)/i', $dbname ) ) { $dbname_is_wildcard = true; } else { $dbname_is_wildcard = false; } } parameter $dbname is not validate properly. line 1197: if (isset($viewing_mode) && $viewing_mode == 'db') { $db = $checkprivs; $url_query .= '&goto=db_operations.php'; // Gets the database structure $sub_part = '_structure'; require('./db_details_db_info.php'); echo "n"; } else { require('./server_links.inc.php'); } line 1241: if ( empty( $adduser ) && empty( $checkprivs ) ) { parameter $checkprivs not validate properly. VII. Proof of Concept http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs=' http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&usern ame=1&dbname=1&tablename=1 VIII. SOLUTION I have not contact the vendor, and no aware of any security patch till now. IX. REFERENCE http://www.phpmyadmin.net SecurityReason - UPDATE : phpMyAdmin's team answer to vulnerability announcement of Dec 17, 2005 --------------------------------------------------------------------------- ----- We don't think that this is a real threat. The server_privileges.php script checks at the beginning if the user is privileged. So, for this attack to work, the victim's phpMyAdmin installation would have to be set as to allow any user to auto-login as a privileged user! If this is the case, this phpMyAdmin installation is wide open and this situation has to be fixed by the person who configured phpMyAdmin. --------------------------------------------------------------------------  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |