Bugtraq mailing list archives
Re: PhpMyAdmin 2.1.0
From: "Angus" <lists () TTDproduction com>
Date: Mon, 2 Jul 2001 12:49:16 +0200
(sorry if you receive this message twice). About the PhpMyadmin Exploit : It doesnt't work with my configuration : I'm using PhpMyadmin 2.1.0 and I've modified sql.php3 and tbl_replace.php3.to correct a previous bug (I'm also using adv_auth). ** sql.php3 ** if($num_rows < 1) { if(file_exists("./$goto")) { include("header.inc.php3"); if(isset($zero_rows) && !empty($zero_rows)) $message = $zero_rows; else $message = $strEmptyResultSet; include(preg_replace('/\.\.*/', '.', $goto)); } instead of: if(file_exists("$goto")) ... Regards, Such Paul
I. The phpMyAdmin 2.1.0 holes There's two include() holes in phpMyAdmin 2.1.0 - this is the latest version but it may work on the older's ones. These two holes can be reach with something like this : =20 http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/pa sswd&btnDrop=3DNo (*) and =20 http://www.victim.com/phpMyAdmin/tbl_replace.php?db=3Dt est&table=3Dess&goto=3D/etc/passwd Of course, to exploit this holes, the attacker need to be logged on remote phpMyAdmin. These holes come from a line like this : 'include($goto);' in sql.php and in tbl_replace.php.
Current thread:
- Re: PhpMyAdmin 2.1.0 Angus (Jul 02)