[Phpmyadmin-devel] Security issues
DelislMa at CollegeSherbrooke.qc.ca
Thu Oct 14 05:33:49 CEST 2004
Good work! except I would remove the references to xine ;)
I can post this in a few hours, as a news item with a reference to Documentation.html
where we already have a security section.
Michal C(ihar( a écrit:
> Hi all
> I guess we should handle a bit better security issues. These bugs should be
> announced with a bit more details (like when it is exploitable, which
> versions are affected and simmilar details). I'd like to have something
> simmilar, like xine has:
> I wrote how announcement could look like for latest issue. Comments?
> phpMyAdmnin security announcement
> Announcement-ID: PSA-2004-3
> When specifying specially formatted options to external MIME
> transformation, an attacker can execute any shell command restricted by
> privileges of httpd user.
> phpMyAdmin allows to use MIME transformations for displaying fields from
> database. These transformations are not enabled by default
> (administrator needs to prepare special table for keeping some
> information and specify it in configuration). One of these
> transformations allows to pipe field content through external program
> which needs to be hardcoded in php script. However user can specify
> parameters to that program and this parameter was not checked for shell
> meta characters, so attacker could pass there anything from redirection
> of output to executing any other command.
> In default setup this feature is not enabled and many hosting providers
> run php in safe mode with disabled exec support, which both make them
> unaffected by this issue. User also need to be logged in into
> phpMyAdmin, what limites range of attackers to users of the server, who
> usually also can execute php code directly, so this possibility doesn't
> extend his privileges. However this could cause some harm, so we
> consider this as important.
> Affected versions:
> All releases starting with 2.5.0 up to and including 2.6.0-pl1.
> Unaffected versions:
> All releases older than 2.5.0.
> CVS HEAD has been fixed.
> The upcoming 2.6.0-pl2 release.
> If you are vulnerable to this issue, easiest fix is to disable external
> transformation - just remove file
> The attached patch fixes the problem but should only be used by
> distributors who do not want to upgrade. Otherwise, we strongly advise
> everyone to upgrade to CVS HEAD or to the next version of xine-ui, which
> is to be released soon.
> For further information and in case of questions, please contact the xine
> team. Our website is http://www.phpmyadmin.net/
More information about the Developers