[Phpmyadmin-devel] Security issues

Michal Čihař michal at cihar.com
Thu Oct 14 05:54:42 CEST 2004 

On Thu 14. 10. 2004 14:25, Marc Delisle wrote:
> Good work! except I would remove the references to xine ;)

Oops, sure, it was just an example :-). Fixed version attached.

> I can post this in a few hours, as a news item with a reference to
> Documentation.html where we already have a security section.

I'd drop it and replace all these stuff with link to security section on our 
web. Simply documentation can't cover bugs that will appear later, so you 
usually need actual information for security issues.

-- 
    Michal Čihař | http://cihar.com
-------------- next part --------------
phpMyAdmnin security announcement
=================================

Announcement-ID: PSA-2004-3

Summary:
When specifying specially formatted options to external MIME
transformation, an attacker can execute any shell command restricted by
privileges of httpd user.

Description:
phpMyAdmin allows to use MIME transformations for displaying fields from
database. These transformations are not enabled by default
(administrator needs to prepare special table for keeping some
information and specify it in configuration). One of these
transformations allows to pipe field content through external program
which needs to be hardcoded in php script.  However user can specify
parameters to that program and this parameter was not checked for shell
meta characters, so attacker could pass there anything from redirection
of output to executing any other command.

Severity:
In default setup this feature is not enabled and many hosting providers
run php in safe mode with disabled exec support, which both make them
unaffected by this issue. User also need to be logged in into
phpMyAdmin, what limites range of attackers to users of the server, who
usually also can execute php code directly, so this possibility doesn't
extend his privileges. However this could cause some harm, so we
consider this as important.

Affected versions:
All releases starting with 2.5.0 up to and including 2.6.0-pl1.

Unaffected versions:
All releases older than 2.5.0.
CVS HEAD has been fixed.
The upcoming 2.6.0-pl2 release.

Solution:
If you are vulnerable to this issue, easiest fix is to disable external
transformation - just remove file
libraries/transformations/text_plain__external.inc.php. The attached
patch fixes the problem but should only be used by distributors who do
not want to upgrade. Otherwise, we strongly advise everyone to upgrade
to CVS HEAD or to the next version of phpMyAdmin, which is to be
released soon.

For further information and in case of questions, please contact the
phpMyAdmin team. Our website is http://www.phpmyadmin.net/.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20041014/01c6aac2/attachment.sig>

More information about the Developers mailing list