[33484] in bugtraq
Re: Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior
daemon@ATHENA.MIT.EDU (Security Admin)
Fri Feb 6 17:21:32 2004
X-Envelope-To: bugtraq@securityfocus.com
X-Real-To: bugtraq@securityfocus.com
Date: Thu, 5 Feb 2004 14:12:42 +0100
From: Security Admin <security@cyberlink.ch>
To: bugtraq@securityfocus.com
Message-ID: <20040205131240.GA8496@dns1.cyberlink.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040203102857.GA10706@netvigilance.com>
On Tue, Feb 03, 2004 at 11:28:57AM +0100, Cedric Cochin wrote:
> - -- HTTP Request --
>
> http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00
>
> - -- HTTP Request --
That's what "php_value include_path" is for. Most Sites running
phpmyadmin probably have users which not only can manage their
databases, but also put up php-code as they like. And of course
they can upload things like that:
http://seegras.discordia.ch/Programs/phpdir
Cheers
Peter Keel
--
Operator in charge of Security Tel +41 1 287 2993
Cyberlink Internet Services AG Fax +41 1 287 2991
Richard Wagnerstrasse 6 admin@cyberlink.ch
CH-8002 Zuerich http://www.cyberlink.ch
