Vulnerabilities > CVE-2004-1148 - Unspecified vulnerability in PHPmyadmin

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
phpmyadmin
nessus

Summary

phpMyAdmin before 2.6.1, when configured with UploadDir functionality, allows remote attackers to read arbitrary files via the sql_localfile parameter.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200412-19.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200412-19 (phpMyAdmin: Multiple vulnerabilities) Nicolas Gregoire (exaprobe.com) has discovered two vulnerabilities that exist only on a webserver where PHP safe_mode is off. These vulnerabilities could lead to command execution or file disclosure. Impact : On a system where external MIME-based transformations are enabled, an attacker can insert offensive values in MySQL, which would start a shell when the data is browsed. On a system where the UploadDir is enabled, read_dump.php could use the unsanitized sql_localfile variable to disclose a file. Workaround : You can temporarily enable PHP safe_mode or disable external MIME-based transformation AND disable the UploadDir. But instead, we strongly advise to update your version to 2.6.1_rc1.
    last seen2020-06-01
    modified2020-06-02
    plugin id16006
    published2004-12-20
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/16006
    titleGLSA-200412-19 : phpMyAdmin: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200412-19.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16006);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2004-1147", "CVE-2004-1148");
      script_xref(name:"GLSA", value:"200412-19");
    
      script_name(english:"GLSA-200412-19 : phpMyAdmin: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200412-19
    (phpMyAdmin: Multiple vulnerabilities)
    
        Nicolas Gregoire (exaprobe.com) has discovered two vulnerabilities
        that exist only on a webserver where PHP safe_mode is off. These
        vulnerabilities could lead to command execution or file disclosure.
      
    Impact :
    
        On a system where external MIME-based transformations are enabled,
        an attacker can insert offensive values in MySQL, which would start a
        shell when the data is browsed. On a system where the UploadDir is
        enabled, read_dump.php could use the unsanitized sql_localfile variable
        to disclose a file.
      
    Workaround :
    
        You can temporarily enable PHP safe_mode or disable external
        MIME-based transformation AND disable the UploadDir. But instead, we
        strongly advise to update your version to 2.6.1_rc1."
      );
      # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.phpmyadmin.net/security/PMASA-2004-4/"
      );
      # http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8c2304be"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200412-19"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All phpMyAdmin users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=dev-db/phpmyadmin-2.6.1_rc1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpmyadmin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-db/phpmyadmin", unaffected:make_list("ge 2.6.1_rc1"), vulnerable:make_list("lt 2.6.1_rc1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_9F0A405E4EDD11D9A9E70001020EED82.NASL
    descriptionA phpMyAdmin security announcement reports : File disclosure: on systems where the UploadDir mecanism is active, read_dump.php can be called with a crafted form; using the fact that the sql_localfile variable is not sanitized can lead to a file disclosure. Enabling PHP safe mode on the server can be used as a workaround for this vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id19051
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19051
    titleFreeBSD : phpmyadmin -- file disclosure vulnerability (9f0a405e-4edd-11d9-a9e7-0001020eed82)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19051);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:36");
    
      script_cve_id("CVE-2004-1148");
    
      script_name(english:"FreeBSD : phpmyadmin -- file disclosure vulnerability (9f0a405e-4edd-11d9-a9e7-0001020eed82)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A phpMyAdmin security announcement reports :
    
    File disclosure: on systems where the UploadDir mecanism is active,
    read_dump.php can be called with a crafted form; using the fact that
    the sql_localfile variable is not sanitized can lead to a file
    disclosure.
    
    Enabling PHP safe mode on the server can be used as a workaround for
    this vulnerability."
      );
      # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.phpmyadmin.net/security/PMASA-2004-4/"
      );
      # http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?8c2304be"
      );
      # https://vuxml.freebsd.org/freebsd/9f0a405e-4edd-11d9-a9e7-0001020eed82.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?498ac174"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpMyAdmin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/12/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"phpMyAdmin<2.6.1.r1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idPHPMYADMIN_VARIOUS_ISSUES.NASL
    descriptionAccording to its banner, the remote version of phpMyAdmin is vulnerable to one (or both) of the following flaws : - An attacker may be able to exploit this software to execute arbitrary commands on the remote host on a server which does not run PHP in safe mode. - An attacker may be able to read arbitrary files on the remote host through the argument
    last seen2020-06-01
    modified2020-06-02
    plugin id15948
    published2004-12-13
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15948
    titlephpMyAdmin < 2.6.1-rc1 Multiple Remote Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    
    include("compat.inc");
    
    if (description)
    {
     script_id(15948);
     script_version("1.17");
     script_cvs_date("Date: 2018/11/15 20:50:18");
    
     script_bugtraq_id(11886);
     script_cve_id("CVE-2004-1147", "CVE-2004-1148");
    
     script_name(english:"phpMyAdmin < 2.6.1-rc1 Multiple Remote Vulnerabilities");
     script_summary(english:"Checks the version of phpMyAdmin");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that is affected by
    multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "According to its banner, the remote version of phpMyAdmin is
    vulnerable to one (or both) of the following flaws :
    
    - An attacker may be able to exploit this software to execute
    arbitrary commands on the remote host on a server which does not run
    PHP in safe mode. 
    
    - An attacker may be able to read arbitrary files on the remote host
    through the argument 'sql_localfile' of the file 'read_dump.php'." );
     # http://web.archive.org/web/20051227082942/http://www.exaprobe.com/labs/advisories/esa-2004-1213.html
     script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?31ea48ff" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Dec/114" );
     script_set_attribute(attribute:"see_also", value:"http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to phpMyAdmin version 2.6.1-rc1 or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
    
     script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/13");
     script_set_attribute(attribute:"vuln_publication_date", value: "2004/12/13");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     script_family(english:"CGI abuses");
    
     script_dependencie("phpMyAdmin_detect.nasl");
     script_exclude_keys("Settings/disable_cgi_scanning");
     script_require_keys("www/phpMyAdmin", "www/PHP");
     script_require_ports("Services/www", 80);
     exit(0);
    }
    
    # Check starts here
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    port = get_http_port(default:80, php:TRUE);
    kb   = get_kb_item("www/" + port + "/phpMyAdmin");
    if ( ! kb ) exit(0);
    matches = eregmatch(pattern:"(.*) under (.*)", string:kb);
    # Only 2.4.0 to 2.6.0plX affected
    if (matches[1] && ereg(pattern:"^(2\.[45]\..*|2\.6\.0|2\.6\.0-pl)", string:matches[1]))
    	security_warning(port);