News

Download

news@phpmyadmin.net

December 2004

1 participants
2 discussions

[Phpmyadmin-news] phpMyAdmin security alert (PMASA-2004-4)
by Marc Delisle 13 Dec '04

13 Dec '04

phpMyAdmin security announcement _________________________________________________________________ Announcement-ID: PMASA-2004-4 Date: 2004-12-13 Summary: Two vulnerabilities were found in phpMyAdmin, that may allow command execution and file disclosure. Description: We received a security advisory from Nicolas Gregoire (exaprobe.com) about those vulnerabilities and we wish to thank him for his work. Both vulnerabilites can be exploited only on a web server where PHP safe mode is off. The vulnerabilities apply to those points: 1. Command execution: since phpMyAdmin 2.6.0-pl2, on a system where external MIME-based transformations are activated, an attacker can put into MySQL data an offensive value that starts a shell command when browsed. 2. File disclosure: on systems where the UploadDir mecanism is active, read_dump.php can be called with a crafted form; using the fact that the sql_localfile variable is not sanitized can lead to a file disclosure. Severity: As any of those vulnerabilites can be used for command execution or file disclosure, we consider them to be serious (on servers where PHP safe mode is off). Affected versions: Command execution problem: since phpMyAdmin 2.6.0-pl2. File disclosure problem: vulnerable since at least version 2.4.0. Unaffected versions: CVS HEAD has been fixed. The 2.6.1-rc1 release. Solution: We strongly advise everyone to upgrade to version 2.6.1 when released. Meanwhile, setting PHP safe mode to on avoids those problems. If not feasible, you should deactivate MIME-based external transformations and the UploadDir mecanism. Reference: http://www.exaprobe.com/labs/advisories/esa-2004-1213.html For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.

1 0

[Phpmyadmin-news] phpMyAdmin 2.6.1-rc1 is released
by Marc Delisle 12 Dec '04

12 Dec '04

_ __ __ _ _ _ _ __ | |__ _ __ | \/ |_ _ / \ __| |_ __ ___ (_)_ __ | "_ \| "_ \| "_ \| |\/| | | | | / _ \ / _` | "_ ` _ \| | "_ \ | |_) | | | | |_) | | | | |_| |/ ___ \ (_| | | | | | | | | | | | .__/|_| |_| .__/|_| |_|\__, /_/ \_\__,_|_| |_| |_|_|_| |_| |_| |_| |___/ 2.6.1-rc1 http://www.phpmyadmin.net phpMyAdmin 2.6.1-rc1 - December 12th, 2004 ========================================== A set of PHP-scripts to administrate MySQL over the Web. -------------------------------------------------------- Announcement ------------ The phpMyAdmin Project is proud to announce the immediate availability of the first release candidate of phpMyAdmin 2.6.1. Almost three months have passed since 2.6.0, although three patch releases were made to take care of several security alerts we received. In 2.6.1 there are two more security fixes (and the official alert will be published in a few days). As a consequence of one of these fixes, if you want to use MIME-based external transformations you have to use a PHP version of 4.3.0 or later. A big speed improvement for users of the "cookie" authentication type is included in 2.6.1-rc1, but you must be running on a Web server with the mcrypt PHP module. Another improvement worth mentionning, which relates to a new feature offered on MySQL 4.1.2+: on multi-user installations, the control user no longer needs to have any rights to the "mysql" db. It is now only used to access the linked-tables infrastructure (pmadb). Please note that it is not recommended to run this testing release on production environments. phpMyAdmin is a web administration tool for MySQL databases, intended to handle a whole database server as well as a single database. Over the years, it has become the most popular GUI for MySQL and is downloaded about 6,000 times a day, according to SourceForge.net. The highlights of this release in detail: Highlights ---------- Upgrade note: * Using external transformations now requires PHP > 4.3.0 Improvements: * Big speed improvement (if using auth_type = 'cookie') by using the mcrypt library (if available on your system) * Improved wording when adding fields * (mysqli) support for compressed protocol and CLIENT_LOCAL_FILES * Clickable active server in left panel * Improved ANSI mode in various scripts * Hints added (light bulb) * Database copying * New Database Operations tab * Optional simple blocking of root login * Binary log display * Index creating on multiple fields * Improved displaying of messages below tabs * Handle MySQL "duplicate entry" error * User list: top index for user initials * Support for OLD_PASSWORD() function * Under MySQL 4.1.2+, we no longer need the control user to have rights over the "mysql" db * New checks for common index problems * Upload: show filename of uploaded file * Improved page selector when browsing foreign table values * Improved handling of InnoDB constraints * Speed up display for left panel with PMA infrastructure is used * New message "no activity..." Fixes: * Security fix against some crafted data allowing arbitrary program execution (if PHP safe mode is off and external transformations are activated) * Security fix against a possible attack on read_dump.php (if PHP safe mode is off) * Incorrect appending of LIMIT to queries * Export: insufficient space to save * Export: convert end of line chars we get from MySQL * Wrong double column sort (with JOIN) * Export: (mysqli) some fields wrongly exported as BINARY * Illegal mix of collations for converted strings * Wrong tabbing from value to value * Allow work on temporary tables * UNIX_TIMESTAMP and optional parameter * Export: improved zip headers * 0 as field name caused problems * Incorrect handling when no default server defined * Export: Use just for SQL exports * Comments and multi-table selects * Security: deactivate the list of programs for external transformations * Incorrect handling of OFFSET * Better displaying of table-specific privileges for a db containing an escaped character * Since 2.6.0-pl3, connecting on a non-standard HTTP port did not work Detailed list of changes since version 2.2.0 is available under http://www.phpmyadmin.net/ChangeLog.txt Availability ------------ This software is available under the GNU General Public License V2.0. You can get the newest version at http://www.phpmyadmin.net/ Available file formats are: .zip, .tar.gz and .tar.bz2. If you install phpMyAdmin on your system, it's recommended to subscribe to the news mailing list by adding your address under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news This way, you will be informed of new updates and security fixes. It is a read only list, and traffic is not greater than a few mail every year. Support and Documentation ------------------------- The documentation is included in the software package as text and HTML file, but can also be downloaded from: http://www.phpmyadmin.net/documentation/ The software is provided as is without any express or implied warranty, but there is a bugs tracker page under: http://sourceforge.net/projects/phpmyadmin/ [click on "Bugs"] In addition, there are also a number of discussion lists related to phpMyAdmin. A list of mailing lists with archives is available at: http://sourceforge.net/mail/?group_id=23067 or http://sourceforge.net/projects/phpmyadmin/ [click on "Lists"] Finally, an users support forum is also available under: http://sourceforge.net/forum/forum.php?forum_id=72909 Known bugs ---------- - phpMyAdmin SQL parser chokes on fieldnames with certain non-ASCII characters (bugs #593598, #936161). To be informed about new releases fixing these problems, please subscribe to the news mailing list under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news or regularly check the sourceforge bugs tracker. Donations --------- The project accepts donations to help improve the product. There is a "Donations" link on http://www.phpmyadmin.net. Description ----------- phpMyAdmin is intended to handle the administration of MySQL over the Web. It can manage a whole MySQL server as well as a single database. Currently it can: - create, copy and drop databases - create, copy, drop, rename and alter tables - do table maintenance - delete, edit and add fields - execute any SQL-statement, even batch-queries - manage keys on fields - load text files into tables - create and read dumps of tables - export data to CSV, XML and Latex formats - administer multiple servers - manage MySQL users and privileges - check referential integrity - using Query-by-example (QBE), create complex queries automatically connecting required tables - create PDF graphics of your Database layout - search globally in a database or a subset of it - communicate in 47 different languages Authors & Copyright ------------------- Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com> Copyright (C) 2001-2004 Marc Delisle <DelislMa_at_CollegeSherbrooke.qc.ca> Olivier Müller <om_at_omnis.ch> Robin Johnson <robbat2_at_users.sourceforge.net> Alexander M. Turek <me_at_derrabus.de> Michal Cihar <michal_at_cihar.com> Garvin Hicking <me_at_supergarv.de> Marcel Tschopp <ne0x_at_users.sourceforge.net> + many other people (check the CREDITS section of our documentation) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Marc Delisle/ 2004-12-12

1 0