108939 – dev-db/phpmyadmin: Local file inclusion

Bug 108939 - dev-db/phpmyadmin: Local file inclusion

Summary: dev-db/phpmyadmin: Local file inclusion

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.phpmyadmin.net/home_page/s...
Whiteboard:	B2 [glsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-10-11 15:33 UTC by Carsten Lohrke (RETIRED)
Modified:	2005-10-17 08:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carsten Lohrke (RETIRED) gentoo-dev

2005-10-11 15:33:41 UTC

http://securityreason.com/securityalert/69

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-11 22:30:41 UTC

I can't get the PoC to work with my settings though the error messages 
indicate that it is indeed trying to include the file specified. Setting 
status to upstream? pending further confirmation/fix. Web-apps please advise.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-10-12 02:32:26 UTC

Confirmed in  phpMyAdmin security announcement PMASA-2005-4 :

==============================================
Announcement-ID: PMASA-2005-4
Date: 2005-10-11

Summary:
Local file inclusion vulnerability

Description:
In libraries/grab_globals.lib.php, the $__redirect parameter was not correctly
validated, opening the door to a local file inclusion attack.

Severity:
We consider this vulnerability to be serious. However, it can be exploited only
on systems not running in PHP safe mode (unless a deliberate hole was opened by
including in open_basedir some paths containing sensitive data).

Affected versions:
phpMyAdmin versions 2.6.4 and 2.6.4-pl1.

Solution:
Upgrade to phpMyAdmin 2.6.4-pl2 or newer.
===============================================

web-apps, please bump to 2.6.4-pl2

Comment 3 Martin Holzer (RETIRED) gentoo-dev

2005-10-12 13:48:03 UTC

in cvs

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-12 14:01:56 UTC

Thx Martin. 
 
Arches please test and mark 2.6.4_p2 stable.

Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-10-13 10:33:13 UTC

Stable on ppc and hppa.

Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev

2005-10-13 11:30:47 UTC

sparc stable.

Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev

2005-10-13 13:17:44 UTC

Stable on alpha ( 2.6.4_p2 )

Comment 8 Dan 2005-10-13 14:52:21 UTC

Works fine for me on x86 except for one odd thing.  Clicking "log out" gives "authentication failed" 
 
Is this something wonky on my system or can anyone reproduce?

Comment 9 Mark Loeser (RETIRED) gentoo-dev

2005-10-14 14:31:34 UTC

stable on x86

Comment 10 Marcus D. Hanwell (RETIRED) gentoo-dev

2005-10-16 09:21:11 UTC

Stable on amd64, sorry for the delay.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-17 08:13:28 UTC

GLSA 200510-16