phpMyAdmin security announcement _________________________________________________________________ Announcement-ID: PMASA-2004-4 Date: 2004-12-13 Summary: Two vulnerabilities were found in phpMyAdmin, that may allow command execution and file disclosure. Description: We received a security advisory from Nicolas Gregoire (exaprobe.com) about those vulnerabilities and we wish to thank him for his work. Both vulnerabilites can be exploited only on a web server where PHP safe mode is off. The vulnerabilities apply to those points: 1. Command execution: since phpMyAdmin 2.6.0-pl2, on a system where external MIME-based transformations are activated, an attacker can put into MySQL data an offensive value that starts a shell command when browsed. 2. File disclosure: on systems where the UploadDir mecanism is active, read_dump.php can be called with a crafted form; using the fact that the sql_localfile variable is not sanitized can lead to a file disclosure. Severity: As any of those vulnerabilites can be used for command execution or file disclosure, we consider them to be serious (on servers where PHP safe mode is off). Affected versions: Command execution problem: since phpMyAdmin 2.6.0-pl2. File disclosure problem: vulnerable since at least version 2.4.0. Unaffected versions: CVS HEAD has been fixed. The 2.6.1-rc1 release. Solution: We strongly advise everyone to upgrade to version 2.6.1 when released. Meanwhile, setting PHP safe mode to on avoids those problems. If not feasible, you should deactivate MIME-based external transformations and the UploadDir mecanism. Reference: http://www.exaprobe.com/labs/advisories/esa-2004-1213.html For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.