The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpMyAdmin Multiple Vulnerabilities (Path Disclosure, Response Splitting)
------------------------------------------------------------------------
SUMMARY
<http://www.phpmyadmin.net/> phpMyAdmin is "a tool written in PHP
intended to handle the administration of MySQL over the Web. Currently it
can create and drop databases, create/drop/alter tables, delete/edit/add
fields, execute any SQL statement, manage keys on fields".
Multiple security vulnerabilities have been found in phpMyAdmin, these
range from full path disclosure to allowing attackers to preform HTTP
response splitting.
DETAILS
Vulnerable Systems:
* phpMyAdmin version 2.7.0-beta1
Full Path Disclosures in the following files:
libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_query_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.php
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php
(get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/display_tbl_links.lib.php
(display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/display_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
libraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php
(charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
libraries/sqlvalidator.lib.php
(libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.php
(libraries/auth/cookie.auth.lib.php?coming_from_common=true)
HTTP Response Splitting in libraries/header_http.inc.php:
The script doesn't check for direct access. If register_globals is on, it
is possible for a remote attacker to cause HTTP response splitting.
Impact:
A remote attacker could exploit this to learn installation paths on
server. The HTTP Response splitting vulnerability can lead to user
compromise amongst other things.
ADDITIONAL INFORMATION
The information has been provided by <mailto:toni.koivunen@fitsec.com>
Toni Koivunen.
The original article can be found at:
<http://www.fitsec.com/advisories/FS-05-02.txt>
http://www.fitsec.com/advisories/FS-05-02.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
