phpMyAdmin文件完整路径信息泄漏漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1197332 漏洞类型 未知
发布时间 2005-11-16 更新时间 2005-11-16
CVE编号 CVE-2005-3622 CNNVD-ID CNNVD-200511-181
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/89204
https://cxsecurity.com/issue/WLB-2005110046
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200511-181
|漏洞详情
phpMyAdmin简单的说就是一种MySQL的管理工具。phpMyAdmin2.7.0-beta1及更早版本,可让远程攻击者通过直接请求程序库目录中的多个脚本来获取服务器的完整路径。
|漏洞EXP
========================================================================
=======

_________________________________________
Security Advisory
_________________________________________
http://www.fitsec.com/advisories/FS-05-02.txt
_________________________________________

Severity: Low/Medium
  Title: Multiple vulnerabilities in phpMyAdmin
  Date: 12.11.2005
  ID: FS-05-02
  Author: Toni Koivunen (toni.koivunen (at) fitsec.com)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Background:

phpMyAdmin is a tool written in PHP intended to handle the 
administration of MySQL over the Web. Currently it can create and drop 
databases, create/drop/alter tables, delete/edit/add fields, execute any 
SQL statement, manage keys on fields.

Affected versions:

Atleast 2.7.0-beta1, most likely others versions also.

Description:

Vuln 1:
Full Path Disclosures in the following files:

libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_query_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.php
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php 
(get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/display_tbl_links.lib.php 
(display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/display_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
libraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php 
(charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recodi
ng=true)
libraries/sqlvalidator.lib.php 
(libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.php 
(libraries/auth/cookie.auth.lib.php?coming_from_common=true)

Vuln 2:
Http Response Splitting in libraries/header_http.inc.php

The script doesn't check for direct access. If register_globals
is on, it is possible for a remote attacker to cause http
response splitting.

Impact:

A remote attacker could exploit this to learn installation paths on
server.
The HTTP Response splitting vulnerability can lead to user compromise
amongst other things.

Status:
12.11.2005 Vulnerabilities found

Acknowledgements:
To the community at dievo.org, keep it up :)
|受影响的产品
phpMyAdmin phpMyAdmin 2.6.1 pl3 phpMyAdmin phpMyAdmin 2.5.7 pl1 phpMyAdmin phpMyAdmin 2.5.5 pl1 phpMyAdmin phpMyAdmin 2.5.4 phpMyAdmin phpMyAdmin 2.5.3 +
|参考资料

来源:MISC
链接:http://www.fitsec.com/advisories/FS-05-02.txt
来源:OSVDB
名称:20914
链接:http://www.osvdb.org/20914
来源:OSVDB
名称:20913
链接:http://www.osvdb.org/20913
来源:OSVDB
名称:20912
链接:http://www.osvdb.org/20912
来源:OSVDB
名称:20911
链接:http://www.osvdb.org/20911
来源:SECTRACK
名称:1015213
链接:http://securitytracker.com/id?1015213
来源:SREASON
名称:185
链接:http://securityreason.com/securityalert/185
来源:BUGTRAQ
名称:20051115[FS-05-02]MultiplevulnerabilitiesinphpMyAdmin
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113208319104035&w=2