Hack in phpMyAdmin and phpPgAdmin
Secure Reality Pty Ltd. Security Pre-Advisory #1 (SRPRE00001)
Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
You can view a plain text version of this advisory here
Released
23/4/2001
This is a pre-release. This vulnerability will be discussed in detail during Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the 23rd of April. A full advisory will be issued following the conference
Vulnerable
phpMyAdmin 2.1.0
phpPgAdmin 2.2.1
All prior versions are almost certainly vulnerable but not tested
Impact
Remote command execution by unauthenticated remote users
Fix
The Authors have not yet been able to correct the issues in mainstream versions. To the best of our knowledge, the issues will be fixed in the next major release of phpPgAdmin. This will be clarified in the full release of this advisory.
SecureReality is providing patches for the problems, no liability for the performance or effectiveness of these patches is accepted.
phpPgAdmin 2.2.1: <http://www.securereality.com.au/patches/phpPgAdmin-SecureReality.diff>
phpMyAdmin 2.2.0: <http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff>
Users of earlier versions are advised to upgrade to the versions specified then apply the patches.
To apply the patches:
- cd to the directory in which the application files are stored (e.g /home/httpd/html/phpMyAdmin/)
- run 'patch -p0 < *Path to patch filename*'
Disclaimer
Advice, directions and instructions on security vulnerabilities in this advisory do not constitute: an endorsement of illegal behavior; a guarantee that protection measures will work; an endorsement of any product or solution or recommendations on behalf of Secure Reality Pty Ltd. Content is provided as is and Secure Reality Pty Ltd does not accept responsibility for any damage or injury caused as a result of its use.
Secure Reality Pty Ltd. Security Pre-Advisory #1 (SRPRE00001)
Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
You can view a plain text version of this advisory here
Released
23/4/2001
This is a pre-release. This vulnerability will be discussed in detail during Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the 23rd of April. A full advisory will be issued following the conference
Vulnerable
phpMyAdmin 2.1.0
phpPgAdmin 2.2.1
All prior versions are almost certainly vulnerable but not tested
Impact
Remote command execution by unauthenticated remote users
Fix
The Authors have not yet been able to correct the issues in mainstream versions. To the best of our knowledge, the issues will be fixed in the next major release of phpPgAdmin. This will be clarified in the full release of this advisory.
SecureReality is providing patches for the problems, no liability for the performance or effectiveness of these patches is accepted.
phpPgAdmin 2.2.1: <http://www.securereality.com.au/patches/phpPgAdmin-SecureReality.diff>
phpMyAdmin 2.2.0: <http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff>
Users of earlier versions are advised to upgrade to the versions specified then apply the patches.
To apply the patches:
- cd to the directory in which the application files are stored (e.g /home/httpd/html/phpMyAdmin/)
- run 'patch -p0 < *Path to patch filename*'
Disclaimer
Advice, directions and instructions on security vulnerabilities in this advisory do not constitute: an endorsement of illegal behavior; a guarantee that protection measures will work; an endorsement of any product or solution or recommendations on behalf of Secure Reality Pty Ltd. Content is provided as is and Secure Reality Pty Ltd does not accept responsibility for any damage or injury caused as a result of its use.