[Phpmyadmin-news] phpMyAdmin security alert (PMASA-2004-4)

Marc Delisle DelislMa at CollegeSherbrooke.qc.ca
Mon Dec 13 06:21:02 CET 2004

phpMyAdmin security announcement

    Announcement-ID: PMASA-2004-4
    Date: 2004-12-13

    Two  vulnerabilities  were found in phpMyAdmin, that may allow command
    execution and file disclosure.

    We  received  a security advisory from Nicolas Gregoire (exaprobe.com)
    about  those  vulnerabilities  and  we wish to thank him for his work.
    Both  vulnerabilites  can  be exploited only on a web server where PHP
    safe mode is off.
    The vulnerabilities apply to those points:
     1. Command  execution:  since phpMyAdmin 2.6.0-pl2, on a system where
        external MIME-based transformations are activated, an attacker can
        put into MySQL data an offensive value that starts a shell command
        when browsed.
     2. File  disclosure:  on  systems  where  the  UploadDir  mecanism is
        active, read_dump.php can be called with a crafted form; using the
        fact  that the sql_localfile variable is not sanitized can lead to
        a file disclosure.

    As  any  of  those vulnerabilites can be used for command execution or
    file  disclosure, we consider them to be serious (on servers where PHP
    safe mode is off).

    Affected versions:
    Command execution problem: since phpMyAdmin 2.6.0-pl2. File disclosure
    problem: vulnerable since at least version 2.4.0.

    Unaffected versions:
    CVS HEAD has been fixed. The 2.6.1-rc1 release.

    We strongly advise everyone to upgrade to version 2.6.1 when released.
    Meanwhile,  setting  PHP safe mode to on avoids those problems. If not
    feasible,  you  should  deactivate MIME-based external transformations
    and the UploadDir mecanism.


    For  further  information and in case of questions, please contact the
    phpMyAdmin team. Our website is http://www.phpmyadmin.net/.

More information about the News mailing list