'Re: [oss-security] CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: phpMyAdmin 3.4 Multiple Vulnerabilities
From:       Jan Lieskovsky <jlieskov () redhat ! com>
Date:       2011-06-28 7:36:04
Message-ID: 4E098464.6080104 () redhat ! com
[Download RAW message or body]

Hello Mango,

   thank you for your report.

Wondering if you have contacted phpMyAdmin Security Team first (Cc-ed
too) for their review, opinion and actions planned regarding the issues
below? ( http://www.phpmyadmin.net/home_page/security/ )

Also, are there relevant upstream bugzilla issue tracking system:
[1] http://sourceforge.net/tracker/?atid=377408&group_id=23067&func=browse

records (where further information about the issues could be found) yet?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

On 06/28/2011 04:32 AM, Mango wrote:
> Hi.
> I've found a bunch of vulnerabilities in the latest release of phpMyAdmin.
>
> Vuln 1:
> Any variable in the super global $_SESSION array can be overwritten or
> created with an arbitrate value.
>
> Vuln 2:
> A (common) misconfiguration of phpMyAdmin allows content from the $_SESSION
> array can be written to a .php-file.
> Combined with Vuln 1 this becomes a conditional remote code execution.
>
> Vuln 3:
> Content from the $_SESSION array are (post authentication) used as input to
> a function that can execute PHP code.
> Under the current circumstances a previously unknown null byte string
> truncation in this function is used.
> I have only been able to reproduce this string truncation on PHP 5.2.13
> running on Windows 7 and I've failed to reproduce it on PHP 5.2.13 running
> on OpenBSD 4.7 and PHP 5.2.17 running on Linux 2.6.18. I do lack
> the necessary C++ debugging skills to find out why this only works on my
> windows box.
> Combined with Vuln 1 this becomes an authenticated remote code execution.
>
> Vuln 4:
> Under a certain configuration an authenticated attacker can include a local
> file and interpret it's content as PHP.
> By modifying values in the $_SESSION array a cache holding the required
> configuration option can be temporarily altered during run time.
> If combined with Vuln 1 all configurations are vulnerable to this
> authenticated local file inclusion.
>
>
> Vuln 2&  3 does not rely on Vuln 1 since the $_SESSION array could also be
> modified by a local attacker trying to elevate his/hers privileges in an
> improperly configured shared environment.
> Do I need 4 CVEs?
>
> Regards
> /Mango - ha.xxor.se
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic