[Phpmyadmin-devel] Security issues

Michal Čihař michal at cihar.com
Thu Oct 14 03:23:38 CEST 2004 

Hi all

I guess we should handle a bit better security issues. These bugs should be 
announced with a bit more details (like when it is exploitable, which 
versions are affected and simmilar details). I'd like to have something 
simmilar, like xine has:

http://xinehq.de/index.php/security/

I wrote how announcement could look like for latest issue. Comments?

-- 
    Michal Čihař | http://cihar.com
-------------- next part --------------
phpMyAdmnin security announcement
=================================

Announcement-ID: PSA-2004-3

Summary:
When specifying specially formatted options to external MIME
transformation, an attacker can execute any shell command restricted by
privileges of httpd user.

Description:
phpMyAdmin allows to use MIME transformations for displaying fields from
database. These transformations are not enabled by default
(administrator needs to prepare special table for keeping some
information and specify it in configuration). One of these
transformations allows to pipe field content through external program
which needs to be hardcoded in php script.  However user can specify
parameters to that program and this parameter was not checked for shell
meta characters, so attacker could pass there anything from redirection
of output to executing any other command.

Severity:
In default setup this feature is not enabled and many hosting providers
run php in safe mode with disabled exec support, which both make them
unaffected by this issue. User also need to be logged in into
phpMyAdmin, what limites range of attackers to users of the server, who
usually also can execute php code directly, so this possibility doesn't
extend his privileges. However this could cause some harm, so we
consider this as important.

Affected versions:
All releases starting with 2.5.0 up to and including 2.6.0-pl1.

Unaffected versions:
All releases older than 2.5.0.
CVS HEAD has been fixed.
The upcoming 2.6.0-pl2 release.

Solution:
If you are vulnerable to this issue, easiest fix is to disable external
transformation - just remove file
libraries/transformations/text_plain__external.inc.php.
The attached patch fixes the problem but should only be used by
distributors who do not want to upgrade. Otherwise, we strongly advise
everyone to upgrade to CVS HEAD or to the next version of xine-ui, which
is to be released soon.

For further information and in case of questions, please contact the xine
team. Our website is http://www.phpmyadmin.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20041014/4abb382e/attachment.sig>

More information about the Developers mailing list