[Phpmyadmin-devel] Security issues

Marc Delisle DelislMa at CollegeSherbrooke.qc.ca
Thu Oct 14 05:49:06 CEST 2004


Marc Delisle a écrit:

> Hi Michal,
> Good work! except I would remove the references to xine ;)
> 
> I can post this in a few hours, as a news item with a reference to 
> Documentation.html
> where we already have a security section.
> 
> Marc
> 
> Michal C(ihar( a écrit:
> 
>> Hi all
>>
>> I guess we should handle a bit better security issues. These bugs 
>> should be announced with a bit more details (like when it is 
>> exploitable, which versions are affected and simmilar details). I'd 
>> like to have something simmilar, like xine has:
>>
>> http://xinehq.de/index.php/security/
>>
>> I wrote how announcement could look like for latest issue. Comments?
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> phpMyAdmnin security announcement
>> =================================
>>
>> Announcement-ID: PSA-2004-3
>>
>> Summary:
>> When specifying specially formatted options to external MIME
>> transformation, an attacker can execute any shell command restricted by
>> privileges of httpd user.
>>
>> Description:
>> phpMyAdmin allows to use MIME transformations for displaying fields from
>> database. These transformations are not enabled by default
>> (administrator needs to prepare special table for keeping some
>> information and specify it in configuration). One of these
>> transformations allows to pipe field content through external program
>> which needs to be hardcoded in php script.  However user can specify
>> parameters to that program and this parameter was not checked for shell
>> meta characters, so attacker could pass there anything from redirection
>> of output to executing any other command.
>>
>> Severity:
>> In default setup this feature is not enabled and many hosting providers
>> run php in safe mode with disabled exec support, which both make them
>> unaffected by this issue. User also need to be logged in into
>> phpMyAdmin, what limites range of attackers to users of the server, who
>> usually also can execute php code directly, so this possibility doesn't
>> extend his privileges. However this could cause some harm, so we
>> consider this as important.
>>
>> Affected versions:
>> All releases starting with 2.5.0 up to and including 2.6.0-pl1.
>>
>> Unaffected versions:
>> All releases older than 2.5.0.
>> CVS HEAD has been fixed.
>> The upcoming 2.6.0-pl2 release.
>>
>> Solution:
>> If you are vulnerable to this issue, easiest fix is to disable external
>> transformation - just remove file
>> libraries/transformations/text_plain__external.inc.php.
>> The attached patch fixes the problem but should only be used by
>> distributors who do not want to upgrade. Otherwise, we strongly advise
>> everyone to upgrade to CVS HEAD or to the next version of xine-ui, which
>> is to be released soon.
>>
>> For further information and in case of questions, please contact the xine
>> team. Our website is http://www.phpmyadmin.net/

I am not sure if we should talk about "CVS HEAD" in such a message. Maybe
just talk about latest CVS version?

Marc
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
> 





More information about the Developers mailing list