[22044] in bugtraq
Re: New command execution vulnerability in myPhpAdmin
daemon@ATHENA.MIT.EDU (Mark Renouf)
Tue Jul 31 17:26:44 2001
Message-ID: <3B672021.1030109@tweakt.net>
Date: Tue, 31 Jul 2001 17:16:17 -0400
From: Mark Renouf <mark@tweakt.net>
MIME-Version: 1.0
To: Carl Livitt <carl@ititc.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Carl Livitt wrote:
>--/ Product: phpMyAdmin versions <= 2.2.0rc3
>--/ Problem: Arbitrary remote command execution
>--/ Severity: High
>--/ Author: Carl Livitt (carl AT ititc DOT com)
>--/ Date: 31 July 2001
>
This isn't so much a problem with phpMyAdmin as it is with PHP in
general. I would HIGHLY
recommend turning off register_globals in php.ini (which is the default
in set in php.ini-dist for php4+).
With that option disabled, the only thing that passing in extra
parameters can do is create entries in
the $HTTP_GET_VARS array, and it's not possible to clobber global script
variables.
I tested this with my installation of phpMyAdmin 2.1.0 and it is not
vulnerable to the attack that you
described, due to the settings I mentioned above.
