Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Jun 2011 15:52:32 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Request: phpMyAdmin 3.4 Multiple
 Vulnerabilities

This sounds like 4 issues. It's possible it's less, but I suspect duping
will be less work than splitting in the future. IDs below.

----- Original Message -----
> Hi.
> I've found a bunch of vulnerabilities in the latest release of
> phpMyAdmin.
> 
> Vuln 1:
> Any variable in the super global $_SESSION array can be overwritten or
> created with an arbitrate value.

CVE-2011-2505

> 
> Vuln 2:
> A (common) misconfiguration of phpMyAdmin allows content from the
> $_SESSION
> array can be written to a .php-file.
> Combined with Vuln 1 this becomes a conditional remote code execution.

CVE-2011-2506

> 
> Vuln 3:
> Content from the $_SESSION array are (post authentication) used as
> input to
> a function that can execute PHP code.
> Under the current circumstances a previously unknown null byte string
> truncation in this function is used.
> I have only been able to reproduce this string truncation on PHP
> 5.2.13
> running on Windows 7 and I've failed to reproduce it on PHP 5.2.13
> running
> on OpenBSD 4.7 and PHP 5.2.17 running on Linux 2.6.18. I do lack
> the necessary C++ debugging skills to find out why this only works on
> my
> windows box.
> Combined with Vuln 1 this becomes an authenticated remote code
> execution.

CVE-2011-2507

> 
> Vuln 4:
> Under a certain configuration an authenticated attacker can include a
> local
> file and interpret it's content as PHP.
> By modifying values in the $_SESSION array a cache holding the
> required
> configuration option can be temporarily altered during run time.
> If combined with Vuln 1 all configurations are vulnerable to this
> authenticated local file inclusion.
> 

CVE-2011-2508

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ