| Summary: | dev-db/phpmyadmin: Local file inclusion | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | web-apps |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4 | ||
| Whiteboard: | B2 [glsa] jaervosz | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Carsten Lohrke (RETIRED)
2005-10-11 15:33:41 UTC
I can't get the PoC to work with my settings though the error messages indicate that it is indeed trying to include the file specified. Setting status to upstream? pending further confirmation/fix. Web-apps please advise. Confirmed in phpMyAdmin security announcement PMASA-2005-4 : ============================================== Announcement-ID: PMASA-2005-4 Date: 2005-10-11 Summary: Local file inclusion vulnerability Description: In libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated, opening the door to a local file inclusion attack. Severity: We consider this vulnerability to be serious. However, it can be exploited only on systems not running in PHP safe mode (unless a deliberate hole was opened by including in open_basedir some paths containing sensitive data). Affected versions: phpMyAdmin versions 2.6.4 and 2.6.4-pl1. Solution: Upgrade to phpMyAdmin 2.6.4-pl2 or newer. =============================================== web-apps, please bump to 2.6.4-pl2 in cvs Thx Martin. Arches please test and mark 2.6.4_p2 stable. Stable on ppc and hppa. sparc stable. Stable on alpha ( 2.6.4_p2 ) Works fine for me on x86 except for one odd thing. Clicking "log out" gives "authentication failed" Is this something wonky on my system or can anyone reproduce? stable on x86 Stable on amd64, sorry for the delay. GLSA 200510-16 |