Vulnerabilities > CVE-2005-3300 - Unspecified vulnerability in PHPmyadmin 2.6.4Pl3
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN phpmyadmin
nessus
Summary
The register_globals emulation layer in grab_globals.php for phpMyAdmin before 2.6.4-pl3 does not perform safety checks on values in the _FILES array for uploaded files, which allows remote attackers to include arbitrary files by using direct requests to library scripts that do not use grab_globals.php, then modifying certain configuration values for the theme.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200510-21.NASL description The remote host is affected by the vulnerability described in GLSA-200510-21 (phpMyAdmin: Local file inclusion and XSS vulnerabilities) Stefan Esser discovered that by calling certain PHP files directly, it was possible to workaround the grab_globals.lib.php security model and overwrite the $cfg configuration array. Systems running PHP in safe mode are not affected. Futhermore, Tobias Klein reported several cross-site-scripting issues resulting from insufficient user input sanitizing. Impact : A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. Furthermore, the cross-site scripting issues give a remote attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim last seen 2020-06-01 modified 2020-06-02 plugin id 20103 published 2005-10-28 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20103 title GLSA-200510-21 : phpMyAdmin: Local file inclusion and XSS vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200510-21. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20103); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-3300", "CVE-2005-3301"); script_bugtraq_id(15169); script_xref(name:"GLSA", value:"200510-21"); script_name(english:"GLSA-200510-21 : phpMyAdmin: Local file inclusion and XSS vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200510-21 (phpMyAdmin: Local file inclusion and XSS vulnerabilities) Stefan Esser discovered that by calling certain PHP files directly, it was possible to workaround the grab_globals.lib.php security model and overwrite the $cfg configuration array. Systems running PHP in safe mode are not affected. Futhermore, Tobias Klein reported several cross-site-scripting issues resulting from insufficient user input sanitizing. Impact : A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. Furthermore, the cross-site scripting issues give a remote attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser. Workaround : There is no known workaround for all those issues at this time." ); # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-5 script_set_attribute( attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2005-5/" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200510-21" ); script_set_attribute( attribute:"solution", value: "All phpMyAdmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/phpmyadmin-2.6.4_p3'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpmyadmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/28"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-db/phpmyadmin", unaffected:make_list("ge 2.6.4_p3"), vulnerable:make_list("lt 2.6.4_p3"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin"); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_066.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:066 (phpMyAdmin). The MySQL configuration frontend phpMyAdmin was updated to fix the following security problems which can be remotely exploited: - Multiple cross-site scripting (XSS) bugs (CVE-2005-3301, CVE-2005-2869, PMASA-2005-5). - Multiple file inclusion vulnerabilities that allowed an attacker to include arbitrary files (CVE-2005-3300, CVE-2005-3301, PMASA-2005-5). last seen 2019-10-28 modified 2005-11-21 plugin id 20240 published 2005-11-21 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20240 title SUSE-SA:2005:066: phpMyAdmin NASL family CGI abuses NASL id PHPMYADMIN_264PL3.NASL description The version of phpMyAdmin installed on the remote host is affected by a local file inclusion vulnerability that can be exploited by an unauthenticated attacker to read arbitrary files, and possibly even to execute arbitrary PHP code on the affected host subject to the permissions of the web server user id. In addition, the application fails to sanitize user-supplied input to the last seen 2020-06-01 modified 2020-06-02 plugin id 20088 published 2005-10-26 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20088 title phpMyAdmin < 2.6.4-pl3 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-880.NASL description Several cross-site scripting vulnerabilities have been discovered in phpmyadmin, a set of PHP-scripts to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-2869 Andreas Kerber and Michal Cihar discovered several cross-site scripting vulnerabilities in the error page and in the cookie login. - CVE-2005-3300 Stefan Esser discovered missing safety checks in grab_globals.php that could allow an attacker to induce phpmyadmin to include an arbitrary local file. - CVE-2005-3301 Tobias Klein discovered several cross-site scripting vulnerabilities that could allow attackers to inject arbitrary HTML or client-side scripting. The version in the old stable distribution (woody) has probably its own flaws and is not easily fixable without a full audit and patch session. The easier way is to upgrade it from woody to sarge. last seen 2020-06-01 modified 2020-06-02 plugin id 22746 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22746 title Debian DSA-880-1 : phpmyadmin - several vulnerabilities
References
- http://www.hardened-php.net/advisory_162005.73.html
- http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-5
- http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0478.
- http://www.gentoo.org/security/en/glsa/glsa-200510-21.xml
- http://secunia.com/advisories/17289/
- http://www.debian.org/security/2005/dsa-880
- http://www.securityfocus.com/bid/15169
- http://securitytracker.com/id?1015091
- http://secunia.com/advisories/17337
- http://www.novell.com/linux/security/advisories/2005_28_sr.html
- http://secunia.com/advisories/17559
- http://www.novell.com/linux/security/advisories/2005_66_phpmyadmin.html
- http://secunia.com/advisories/17607
- http://marc.info/?l=bugtraq&m=113017591414699&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/22835