PMASA-2004-4

Announcement-ID: PMASA-2004-4

Date: 2004-12-13

Summary

Two vulnerabilities were found in phpMyAdmin, that may allow command execution and file disclosure.

Description

We received a security advisory from Nicolas Gregoire (exaprobe.com) about those vulnerabilities and we wish to thank him for his work. Both vulnerabilites can be exploited only on a web server where PHP safe mode is off. The vulnerabilities apply to those points:

1. Command execution: since phpMyAdmin 2.6.0-pl2, on a system where external MIME-based transformations are activated, an attacker can put into MySQL data an offensive value that starts a shell command when browsed.
2. File disclosure: on systems where the UploadDir mecanism is active, read_dump.php can be called with a crafted form; using the fact that the sql_localfile variable is not sanitized can lead to a file disclosure.

Severity

As any of those vulnerabilites can be used for command execution or file disclosure, we consider them to be serious (on servers where PHP safe mode is off).

Affected Versions

Command execution problem: since phpMyAdmin 2.6.0-pl2. File disclosure problem: vulnerable since at least version 2.4.0.

Unaffected Versions

CVS HEAD has been fixed. The 2.6.1-rc1 release.

Solution

We strongly advise everyone to upgrade to version 2.6.1 when released. Meanwhile, setting PHP safe mode to on avoids those problems. If not feasible, you should deactivate MIME-based external transformations and the UploadDir mecanism.

References

http://www.exaprobe.com/labs/advisories/esa-2004-1213.html

Assigned CVE ids: CVE-2004-1147 CVE-2004-1148

CWE ids: CWE-661 CWE-94

Patches

The following commits have been made to fix this issue:

• 1d170eefbf3b07c6bd968d9905a419aaf3aeedf0
• f1f39b8ed115c5cfbd18d3dca5fad1707beb00f2

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements