[21306] in bugtraq
Re: PhpMyAdmin 2.1.0
daemon@ATHENA.MIT.EDU (Angus)
Mon Jul 2 16:22:09 2001
Message-ID: <00f701c102e4$a43fd3d0$0a00000a@thunder>
From: "Angus" <lists@TTDproduction.com>
To: <bugtraq@securityfocus.com>
Date: Mon, 2 Jul 2001 12:49:16 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
(sorry if you receive this message twice).
About the PhpMyadmin Exploit :
It doesnt't work with my configuration :
I'm using PhpMyadmin 2.1.0 and I've modified sql.php3 and
tbl_replace.php3.to correct a previous bug (I'm also using adv_auth).
** sql.php3 **
if($num_rows < 1)
{
if(file_exists("./$goto"))
{
include("header.inc.php3");
if(isset($zero_rows) && !empty($zero_rows))
$message = $zero_rows;
else
$message = $strEmptyResultSet;
include(preg_replace('/\.\.*/', '.', $goto));
}
instead of:
if(file_exists("$goto"))
...
Regards,
Such Paul
> I. The phpMyAdmin 2.1.0 holes
>
> There's two include() holes in phpMyAdmin 2.1.0 -
> this is the latest version
> but it may work on the older's ones.
> These two holes can be reach with something like this
>:
> =20
> http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/pa
> sswd&btnDrop=3DNo (*)
> and
> =20
> http://www.victim.com/phpMyAdmin/tbl_replace.php?db=3Dt
> est&table=3Dess&goto=3D/etc/passwd
>
> Of course, to exploit this holes, the attacker need
> to be logged on remote
> phpMyAdmin.
>
> These holes come from a line like this :
> 'include($goto);' in sql.php and in
> tbl_replace.php.
