phpMyAdmin security announcement
_________________________________________________________________
Announcement-ID: PMASA-2004-4
Date: 2004-12-13
Summary:
Two vulnerabilities were found in phpMyAdmin, that may allow command
execution and file disclosure.
Description:
We received a security advisory from Nicolas Gregoire (exaprobe.com)
about those vulnerabilities and we wish to thank him for his work.
Both vulnerabilites can be exploited only on a web server where PHP
safe mode is off.
The vulnerabilities apply to those points:
1. Command execution: since phpMyAdmin 2.6.0-pl2, on a system where
external MIME-based transformations are activated, an attacker can
put into MySQL data an offensive value that starts a shell command
when browsed.
2. File disclosure: on systems where the UploadDir mecanism is
active, read_dump.php can be called with a crafted form; using the
fact that the sql_localfile variable is not sanitized can lead to
a file disclosure.
Severity:
As any of those vulnerabilites can be used for command execution or
file disclosure, we consider them to be serious (on servers where PHP
safe mode is off).
Affected versions:
Command execution problem: since phpMyAdmin 2.6.0-pl2. File disclosure
problem: vulnerable since at least version 2.4.0.
Unaffected versions:
CVS HEAD has been fixed. The 2.6.1-rc1 release.
Solution:
We strongly advise everyone to upgrade to version 2.6.1 when released.
Meanwhile, setting PHP safe mode to on avoids those problems. If not
feasible, you should deactivate MIME-based external transformations
and the UploadDir mecanism.
Reference:
http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is http://www.phpmyadmin.net/.
_ __ __ _ _ _
_ __ | |__ _ __ | \/ |_ _ / \ __| |_ __ ___ (_)_ __
| "_ \| "_ \| "_ \| |\/| | | | | / _ \ / _` | "_ ` _ \| | "_ \
| |_) | | | | |_) | | | | |_| |/ ___ \ (_| | | | | | | | | | |
| .__/|_| |_| .__/|_| |_|\__, /_/ \_\__,_|_| |_| |_|_|_| |_|
|_| |_| |___/ 2.6.1-rc1
http://www.phpmyadmin.net
phpMyAdmin 2.6.1-rc1 - December 12th, 2004
==========================================
A set of PHP-scripts to administrate MySQL over the Web.
--------------------------------------------------------
Announcement
------------
The phpMyAdmin Project is proud to announce the immediate
availability of the first release candidate of phpMyAdmin 2.6.1.
Almost three months have passed since 2.6.0, although three patch releases
were made to take care of several security alerts we received. In 2.6.1
there are two more security fixes (and the official alert will be published
in a few days). As a consequence of one of these fixes, if you want to use
MIME-based external transformations you have to use a PHP version of 4.3.0
or later.
A big speed improvement for users of the "cookie" authentication type
is included in 2.6.1-rc1, but you must be running on a Web server with
the mcrypt PHP module.
Another improvement worth mentionning, which relates to a new feature
offered on MySQL 4.1.2+: on multi-user installations, the control user
no longer needs to have any rights to the "mysql" db. It is now only used
to access the linked-tables infrastructure (pmadb).
Please note that it is not recommended to run this testing release on
production environments.
phpMyAdmin is a web administration tool for MySQL databases, intended to
handle a whole database server as well as a single database. Over the years,
it has become the most popular GUI for MySQL and is downloaded about 6,000
times a day, according to SourceForge.net.
The highlights of this release in detail:
Highlights
----------
Upgrade note:
* Using external transformations now requires PHP > 4.3.0
Improvements:
* Big speed improvement (if using auth_type = 'cookie') by using the
mcrypt library (if available on your system)
* Improved wording when adding fields
* (mysqli) support for compressed protocol and CLIENT_LOCAL_FILES
* Clickable active server in left panel
* Improved ANSI mode in various scripts
* Hints added (light bulb)
* Database copying
* New Database Operations tab
* Optional simple blocking of root login
* Binary log display
* Index creating on multiple fields
* Improved displaying of messages below tabs
* Handle MySQL "duplicate entry" error
* User list: top index for user initials
* Support for OLD_PASSWORD() function
* Under MySQL 4.1.2+, we no longer need the control user to have
rights over the "mysql" db
* New checks for common index problems
* Upload: show filename of uploaded file
* Improved page selector when browsing foreign table values
* Improved handling of InnoDB constraints
* Speed up display for left panel with PMA infrastructure is used
* New message "no activity..."
Fixes:
* Security fix against some crafted data allowing arbitrary program
execution (if PHP safe mode is off and external transformations are
activated)
* Security fix against a possible attack on read_dump.php
(if PHP safe mode is off)
* Incorrect appending of LIMIT to queries
* Export: insufficient space to save
* Export: convert end of line chars we get from MySQL
* Wrong double column sort (with JOIN)
* Export: (mysqli) some fields wrongly exported as BINARY
* Illegal mix of collations for converted strings
* Wrong tabbing from value to value
* Allow work on temporary tables
* UNIX_TIMESTAMP and optional parameter
* Export: improved zip headers
* 0 as field name caused problems
* Incorrect handling when no default server defined
* Export: Use just for SQL exports
* Comments and multi-table selects
* Security: deactivate the list of programs for external transformations
* Incorrect handling of OFFSET
* Better displaying of table-specific privileges for a db containing
an escaped character
* Since 2.6.0-pl3, connecting on a non-standard HTTP port did not work
Detailed list of changes since version 2.2.0 is available under
http://www.phpmyadmin.net/ChangeLog.txt
Availability
------------
This software is available under the GNU General Public License V2.0.
You can get the newest version at http://www.phpmyadmin.net/
Available file formats are: .zip, .tar.gz and .tar.bz2.
If you install phpMyAdmin on your system, it's recommended to
subscribe to the news mailing list by adding your address under
http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news
This way, you will be informed of new updates and security fixes.
It is a read only list, and traffic is not greater than a few
mail every year.
Support and Documentation
-------------------------
The documentation is included in the software package as text and
HTML file, but can also be downloaded from:
http://www.phpmyadmin.net/documentation/
The software is provided as is without any express or implied
warranty, but there is a bugs tracker page under:
http://sourceforge.net/projects/phpmyadmin/ [click on "Bugs"]
In addition, there are also a number of discussion lists
related to phpMyAdmin. A list of mailing lists with archives
is available at:
http://sourceforge.net/mail/?group_id=23067 or
http://sourceforge.net/projects/phpmyadmin/ [click on "Lists"]
Finally, an users support forum is also available under:
http://sourceforge.net/forum/forum.php?forum_id=72909
Known bugs
----------
- phpMyAdmin SQL parser chokes on fieldnames with certain non-ASCII characters
(bugs #593598, #936161).
To be informed about new releases fixing these problems, please
subscribe to the news mailing list under
http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news
or regularly check the sourceforge bugs tracker.
Donations
---------
The project accepts donations to help improve the product. There is
a "Donations" link on http://www.phpmyadmin.net.
Description
-----------
phpMyAdmin is intended to handle the administration of MySQL over the Web. It
can manage a whole MySQL server as well as a single database.
Currently it can:
- create, copy and drop databases
- create, copy, drop, rename and alter tables
- do table maintenance
- delete, edit and add fields
- execute any SQL-statement, even batch-queries
- manage keys on fields
- load text files into tables
- create and read dumps of tables
- export data to CSV, XML and Latex formats
- administer multiple servers
- manage MySQL users and privileges
- check referential integrity
- using Query-by-example (QBE), create complex queries automatically
connecting required tables
- create PDF graphics of your Database layout
- search globally in a database or a subset of it
- communicate in 47 different languages
Authors & Copyright
-------------------
Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com>
Copyright (C) 2001-2004 Marc Delisle <DelislMa_at_CollegeSherbrooke.qc.ca>
Olivier Müller <om_at_omnis.ch>
Robin Johnson <robbat2_at_users.sourceforge.net>
Alexander M. Turek <me_at_derrabus.de>
Michal Cihar <michal_at_cihar.com>
Garvin Hicking <me_at_supergarv.de>
Marcel Tschopp <ne0x_at_users.sourceforge.net>
+ many other people
(check the CREDITS section of our documentation)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Marc Delisle/ 2004-12-12