what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpMyAdmin Security Announcement 2004.2

phpMyAdmin Security Announcement 2004.2
Posted Oct 24, 2004
Authored by phpMyAdmin Devel Team | Site phpmyadmin.net

When specifying specially formatted options to external MIME transformation, an attacker can execute any shell command restricted by privileges of httpd user.

tags | advisory, shell
SHA-256 | 653c1d641fce3d340f0ed50c6a9b2990cbfd01531ec29f00702011a65ea1d0d1

phpMyAdmin Security Announcement 2004.2

Change Mirror Download

PMASA-2004-2

phpMyAdmin security announcement

Announcement-ID: PMASA-2004-2
Date: 2004-10-12

Summary:
When specifying specially formatted options to external MIME transformation, an attacker can execute any shell command restricted by privileges of httpd user.

Description:
phpMyAdmin allows to use MIME transformations for displaying fields from database. These transformations are not enabled by default (administrator needs to prepare special table for keeping some information and specify it in configuration). One of these transformations allows to pipe field content through external program which needs to be hardcoded in php script. However user can specify parameters to that program and this parameter was not checked for shell meta characters, so attacker could pass there anything from redirection of output to executing any other command.

Severity:
In default setup this feature is not enabled and many hosting providers run php in safe mode with disabled exec support, which both make them unaffected by this issue. User also need to be logged in into phpMyAdmin, what limites range of attackers to users of the server, who usually also can execute php code directly, so this possibility doesn't extend his privileges. However this could cause some harm, so we consider this as important.

Affected versions:
All releases starting with 2.5.0 up to and including 2.6.0-pl1.

Unaffected versions:
All releases older than 2.5.0. CVS HEAD has been fixed. The upcoming 2.6.0-pl2 release.

Solution:
If you are vulnerable to this issue, easiest fix is to disable external transformation - just remove file libraries/transformations/text_plain__external.inc.php. The attached patch fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to CVS HEAD or to the next version of phpMyAdmin, which is to be released soon.

References:
none

For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close