oss-sec mailing list archives
Re: CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities
From: Josh Bressers <bressers () redhat com>
Date: Wed, 29 Jun 2011 15:52:32 -0400 (EDT)
This sounds like 4 issues. It's possible it's less, but I suspect duping will be less work than splitting in the future. IDs below. ----- Original Message -----
Hi. I've found a bunch of vulnerabilities in the latest release of phpMyAdmin. Vuln 1: Any variable in the super global $_SESSION array can be overwritten or created with an arbitrate value.
CVE-2011-2505
Vuln 2: A (common) misconfiguration of phpMyAdmin allows content from the $_SESSION array can be written to a .php-file. Combined with Vuln 1 this becomes a conditional remote code execution.
CVE-2011-2506
Vuln 3: Content from the $_SESSION array are (post authentication) used as input to a function that can execute PHP code. Under the current circumstances a previously unknown null byte string truncation in this function is used. I have only been able to reproduce this string truncation on PHP 5.2.13 running on Windows 7 and I've failed to reproduce it on PHP 5.2.13 running on OpenBSD 4.7 and PHP 5.2.17 running on Linux 2.6.18. I do lack the necessary C++ debugging skills to find out why this only works on my windows box. Combined with Vuln 1 this becomes an authenticated remote code execution.
CVE-2011-2507
Vuln 4: Under a certain configuration an authenticated attacker can include a local file and interpret it's content as PHP. By modifying values in the $_SESSION array a cache holding the required configuration option can be temporarily altered during run time. If combined with Vuln 1 all configurations are vulnerable to this authenticated local file inclusion.
CVE-2011-2508 Thanks. -- JB
Current thread:
- CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities Mango (Jun 27)
- Re: CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities Jan Lieskovsky (Jun 28)
- Re: [Phpmyadmin-security] [oss-security] CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities Herman van Rink (Jun 28)
- Re: CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities Josh Bressers (Jun 29)
- Re: CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities Jan Lieskovsky (Jun 28)