CVE-2004-2630
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 23:07:11
NMCO    

[原文]The MIME transformation system (transformations/text_plain__external.inc.php) in phpMyAdmin 2.5.0 up to 2.6.0-pl1 allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.


[CNNVD]phpMyAdmin远程命令执行漏洞(CNNVD-200412-482)

        phpMyAdmin 2.5.0至2.6.0-pl1版本的MIME转化系统(transformations/text_plain__external.inc.php)存在漏洞。远程攻击者借助未明向量中的shell元字符执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpmyadmin:phpmyadmin:2.5.2_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.5.2
cpe:/a:phpmyadmin:phpmyadmin:2.5.1
cpe:/a:phpmyadmin:phpmyadmin:2.5.4
cpe:/a:phpmyadmin:phpmyadmin:2.5.3
cpe:/a:phpmyadmin:phpmyadmin:2.5.5
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc2
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.5.7
cpe:/a:phpmyadmin:phpmyadmin:2.5.5_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.5.7_pl1
cpe:/a:phpmyadmin:phpmyadmin:2.5.0
cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc2
cpe:/a:phpmyadmin:phpmyadmin:2.5.6_rc1
cpe:/a:phpmyadmin:phpmyadmin:2.6.0_pl1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2630
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2630
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-482
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109816584519779&w=2
(UNKNOWN)  BUGTRAQ  20041018 phpMyAdmin: Vulnerability in MIME-based transformation
http://marc.info/?l=full-disclosure&m=109810251501643&w=2
(UNKNOWN)  FULLDISC  20041018: phpMyAdmin: Vulnerability in MIME-based transformation
http://securitytracker.com/alerts/2004/Oct/1011761.html
(PATCH)  SECTRACK  1011761
http://www.gentoo.org/security/en/glsa/glsa-200410-14.xml
(PATCH)  GENTOO  GLSA-200410-14
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-2
(PATCH)  CONFIRM  http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-2
http://www.securityfocus.com/bid/11391
(PATCH)  BID  11391
http://xforce.iss.net/xforce/xfdb/17698
(PATCH)  XF  phpmyadmin-command-execution(17698)

- 漏洞信息

phpMyAdmin远程命令执行漏洞
高危 输入验证
2004-12-31 00:00:00 2005-12-21 00:00:00
远程  
        phpMyAdmin 2.5.0至2.6.0-pl1版本的MIME转化系统(transformations/text_plain__external.inc.php)存在漏洞。远程攻击者借助未明向量中的shell元字符执行任意命令。
        

- 公告与补丁

        Gentoo Linux has released advisory GLSA 200410-14 dealing with this issue. They have advised that all phpMyAdmin users should upgrade to the latest version:
        # emerge sync
        # emerge -pv ">=dev-db/phpmyadmin-2.6.0_p2"
         # emerge ">=dev-db/phpmyadmin-2.6.0_p2"
        Please see the referenced Gentoo advisory for more information.
        The vendor has released phpMyAdmin 2.6.0 pl2 to address this issue.
        phpMyAdmin phpMyAdmin 2.0
        
        phpMyAdmin phpMyAdmin 2.0.1
        
        phpMyAdmin phpMyAdmin 2.0.2
        
        phpMyAdmin phpMyAdmin 2.0.3
        
        phpMyAdmin phpMyAdmin 2.0.4
        
        phpMyAdmin phpMyAdmin 2.0.5
        
        phpMyAdmin phpMyAdmin 2.1 .2
        
        phpMyAdmin phpMyAdmin 2.1
        
        phpMyAdmin phpMyAdmin 2.1 .1
        
        phpMyAdmin phpMyAdmin 2.2 pre1
        
        phpMyAdmin phpMyAdmin 2.2 rc3
        
        phpMyAdmin phpMyAdmin 2.2 pre2
        
        phpMyAdmin phpMyAdmin 2.2 rc2
        
        phpMyAdmin phpMyAdmin 2.2
        
        phpMyAdmin phpMyAdmin 2.2 rc1
        
        phpMyAdmin phpMyAdmin 2.2.2
        
        phpMyAdmin phpMyAdmin 2.2.3
        
        phpMyAdmin phpMyAdmin 2.2.4
        
        phpMyAdmin phpMyAdmin 2.2.5
        
        phpMyAdmin phpMyAdmin 2.2.6
        
        phpMyAdmin phpMyAdmin 2.3.1
        
        phpMyAdmin phpMyAdmin 2.3.2
        
        phpMyAdmin phpMyAdmin 2.4 .0
        
        phpMyAdmin phpMyAdmin 2.5 .0
        

- 漏洞信息

10715
phpMyAdmin Unspecified Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown Vendor Verified

- 漏洞描述

An unspecified vulnerability in phpMyAdmin allows remote arbitrary command execution with the privileges of the web server. The issue is due to the way MIME-based transformations are handled when dealing with "external" transformations; it can only occur if PHP's safe mode is disabled. No further details have been provided.

- 时间线

2004-10-13 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.6.0-pl2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站