Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PhpMyAdmin 2.1.0

From: "Angus" <lists () TTDproduction com>
Date: Mon, 2 Jul 2001 12:49:16 +0200
(sorry if you receive this message twice).

About the PhpMyadmin Exploit :

It doesnt't work with my configuration :
I'm using PhpMyadmin 2.1.0 and I've modified sql.php3 and
tbl_replace.php3.to correct a previous bug (I'm also using adv_auth).

** sql.php3 **
if($num_rows < 1)
    {
        if(file_exists("./$goto"))
        {
            include("header.inc.php3");
            if(isset($zero_rows) && !empty($zero_rows))
                $message = $zero_rows;
            else
                $message = $strEmptyResultSet;
             include(preg_replace('/\.\.*/', '.', $goto));
        }

instead of:

if(file_exists("$goto"))
...

Regards,
Such Paul



I. The phpMyAdmin 2.1.0 holes

There's two include() holes in phpMyAdmin 2.1.0 -
this is the latest version
but it may work on the older's ones.
These two holes can be reach with something like this
:
=20
http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/pa
sswd&btnDrop=3DNo (*)
and
=20
http://www.victim.com/phpMyAdmin/tbl_replace.php?db=3Dt
est&table=3Dess&goto=3D/etc/passwd

Of course, to exploit this holes, the attacker need
to be logged on remote
phpMyAdmin.

These holes come from a line like this :
'include($goto);' in sql.php and in
tbl_replace.php.
Previous By Date Next
Previous By Thread Next

Current thread: