phpPgAdmin Input Validation Hole in 'formLanguage' Discloses Files to Remote Users SecurityTracker Alert ID: 1014414 SecurityTracker URL: http://securitytracker.com/id?1014414 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Jul 7 2005 Impact: Disclosure of system information, Disclosure of user information Exploit Included: Yes Version(s): 3.5.3 and prior versions Description: A vulnerability was reported in phpPgAdmin. A remote user can view files on the target system. The script does not properly validate user-supplied input in the 'formLanguage' parameter. A remote user can supply a specially crafted parameter value containing encoded directory traversal characters to view files on the target system. A demonstration exploit URL is provided: formUsername=username&formPassword=password&formServer=0 &formLanguage=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/pa sswd%00&submitLogin=Login SecurityFocus reported this vulnerability. No credit was provided. Impact: A remote user can view files on the target system with the privileges of the target web service. Solution: No solution was available at the time of this entry. Vendor URL: phppgadmin.sourceforge.net/ (Links to External Site) Cause: Input validation error _______ postgresql/web-apps pls validate/advise
oops... stupid me... reassigning ;-)
Version 3.5.4 ------------- Bugs * Fix security hole in include() of language file: http://secunia.com/advisories/15941/ Check now requires that the language filename be in the list of known allowed filenames. * Fix that functions returning cstring were not being listed * Make parsing of PostgreSQL 1-dimensional arrays correct. Makes named function parameter use more reliable. * Fix downloading of the results of multiline queries. Postgres / web-apps peeps : anyone interested in herding that package and bump to the secure version ? We'll probably remove it from portage if noone takes it.
-------------------------------------------------------------------------- Debian Security Advisory DSA 759-1 security@debian.org http://www.debian.org/security/ Martin Schulze July 18th, 2005 http://www.debian.org/security/faq -------------------------------------------------------------------------- Package : phppgadmin Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CAN-2005-2256 BugTraq ID : 14142 A vulnerability has been discovered in phppgadmin, a set of PHP scripts to administrate PostgreSQL over the WWW, that can lead to disclose sensitive information. Successful exploitation requires that "magic_quotes_gpc" is disabled.
mholzer already bumped it to 3.5.4 on 15-Jul-2005
Oops. In fact it was already inportage. Arches, please test and mark stable : Target KEYWORDS="x86 ppc sparc hppa amd64"
sparc stable.
ppc stable
Stable on hppa
x86 stable
Sorry for the delay, stable on amd64.
Ready for GLSA vote. I've no opinion yet.
AFAIR magic_quotes_gpc is enabled by default -> downgrading severity. I tend to vote NO.
1/2 No.
1/2 not too... closing.
