SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   phpMyAdmin Vendors:   phpWizard.net
phpMyAdmin Administration Tool for MySQL Allows Remote Users to Execute Commands on the Server
SecurityTracker Alert ID:  1001411
SecurityTracker URL:  http://securitytracker.com/id/1001411
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 23 2001
Impact:   Execution of arbitrary code via network

Version(s): phpMyAdmin 2.1.0
Description:   A vulnerability has been reported by Secure Reality in phpMyAdmin, an adminstration tool for MySQL. The hole reportedly allows a remote user to execute commands on the server without authentication.

The report notes that all versions prior to v2.1.0 are likely to be vulnerable but were not tested.

No other details were provided in this preliminary advisory.
Impact:   A remote user could execute commands on the phpMyAdmin server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.phpwizard.net (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents
Date:  Tue, 24 Apr 2001 00:15:00 +1000
Subject:  (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1


=================================================
Secure Reality Pty
Ltd. Security Pre-Advisory #1 (SRPRE00001)
http://www.securereality.com.au
=================================================

[Title]
Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin

[Released]
23/4/2001

This is a pre-release. This vulnerability will be discussed in detail during
Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the
23rd of April. A full advisory will be issued following the conference

[Vulnerable]
phpMyAdmin 2.1.0
phpPgAdmin 2.2.1

All prior versions are almost certainly vulnerable but not tested

[Impact]
Remote command execution by unauthenticated remote users

[Fix]
The Authors have not yet been able to correct the issues in mainstream
versions. SecureReality is providing patches for the problems, no liability
for the performance or effectiveness of these patches is accepted.

phpPgAdmin 2.2.1:
http://www.securereality.com.au/patches/phpPgAdmin-SecureReality.diff
phpMyAdmin 2.2.0:
http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff

Users of earlier versions are advised to upgrade to the versions specified
then apply the patches.

To apply the patches:
 - cd to the directory in which the application files are stored (e.g
   /home/httpd/html/phpMyAdmin/)
 - run 'patch -p0 < *Path to patch filename*'

[Disclaimer] Advice, directions and instructions on security
vulnerabilities in this advisory do not constitute: an endorsement of
illegal behavior; a guarantee that protection measures will work; an
endorsement of any product or solution or recommendations on behalf of
Secure Reality Pty Ltd. Content is provided as is and Secure Reality
Pty Ltd does not accept responsibility for any damage or injury caused
as a result of its use.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC