Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 108939 - dev-db/phpmyadmin: Local file inclusion
Summary: dev-db/phpmyadmin: Local file inclusion
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
Depends on:
Reported: 2005-10-11 15:33 UTC by Carsten Lohrke (RETIRED)
Modified: 2005-10-17 08:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-10-11 15:33:41 UTC
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-11 22:30:41 UTC
I can't get the PoC to work with my settings though the error messages 
indicate that it is indeed trying to include the file specified. Setting 
status to upstream? pending further confirmation/fix. Web-apps please advise. 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-12 02:32:26 UTC
Confirmed in  phpMyAdmin security announcement PMASA-2005-4 :

Announcement-ID: PMASA-2005-4
Date: 2005-10-11

Local file inclusion vulnerability

In libraries/grab_globals.lib.php, the $__redirect parameter was not correctly
validated, opening the door to a local file inclusion attack.

We consider this vulnerability to be serious. However, it can be exploited only
on systems not running in PHP safe mode (unless a deliberate hole was opened by
including in open_basedir some paths containing sensitive data).

Affected versions:
phpMyAdmin versions 2.6.4 and 2.6.4-pl1.

Upgrade to phpMyAdmin 2.6.4-pl2 or newer.

web-apps, please bump to 2.6.4-pl2
Comment 3 Martin Holzer (RETIRED) gentoo-dev 2005-10-12 13:48:03 UTC
in cvs
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-12 14:01:56 UTC
Thx Martin. 
Arches please test and mark 2.6.4_p2 stable.  
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-13 10:33:13 UTC
Stable on ppc and hppa.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-13 11:30:47 UTC
sparc stable.
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-10-13 13:17:44 UTC
Stable on alpha ( 2.6.4_p2 )
Comment 8 Dan 2005-10-13 14:52:21 UTC
Works fine for me on x86 except for one odd thing.  Clicking "log out" gives "authentication failed" 
Is this something wonky on my system or can anyone reproduce? 
Comment 9 Mark Loeser (RETIRED) gentoo-dev 2005-10-14 14:31:34 UTC
stable on x86
Comment 10 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-10-16 09:21:11 UTC
Stable on amd64, sorry for the delay. 
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-17 08:13:28 UTC
GLSA 200510-16