Re: PhpMyAdmin 2.1.0

From: Angus (listsat_private)
Date: Mon Jul 02 2001 - 03:49:16 PDT

Next message: rjmitchellat_private: "Re: Nfuse reveals full path"

Previous message: Shaun Clowes: "Re: phpMyAdmin 2.1.0 + world readable (apache) log files enable remote user to run"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(sorry if you receive this message twice).

About the PhpMyadmin Exploit :

It doesnt't work with my configuration :
I'm using PhpMyadmin 2.1.0 and I've modified sql.php3 and
tbl_replace.php3.to correct a previous bug (I'm also using adv_auth).

** sql.php3 **
if($num_rows < 1)
    {
        if(file_exists("./$goto"))
        {
            include("header.inc.php3");
            if(isset($zero_rows) && !empty($zero_rows))
                $message = $zero_rows;
            else
                $message = $strEmptyResultSet;
             include(preg_replace('/\.\.*/', '.', $goto));
        }

instead of:

if(file_exists("$goto"))
...

Regards,
Such Paul


> I. The phpMyAdmin 2.1.0 holes
>
> There's two include() holes in phpMyAdmin 2.1.0 -
> this is the latest version
> but it may work on the older's ones.
> These two holes can be reach with something like this
>:
> =20
> http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/pa
> sswd&btnDrop=3DNo (*)
> and
> =20
> http://www.victim.com/phpMyAdmin/tbl_replace.php?db=3Dt
> est&table=3Dess&goto=3D/etc/passwd
>
> Of course, to exploit this holes, the attacker need
> to be logged on remote
> phpMyAdmin.
>
> These holes come from a line like this :
> 'include($goto);' in sql.php and in
> tbl_replace.php.

Next message: rjmitchellat_private: "Re: Nfuse reveals full path"
Previous message: Shaun Clowes: "Re: phpMyAdmin 2.1.0 + world readable (apache) log files enable remote user to run"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 13:22:58 PDT