Vulnerabilities > CVE-2005-3300 - Unspecified vulnerability in PHPmyadmin 2.6.4Pl3

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
phpmyadmin
nessus

Summary

The register_globals emulation layer in grab_globals.php for phpMyAdmin before 2.6.4-pl3 does not perform safety checks on values in the _FILES array for uploaded files, which allows remote attackers to include arbitrary files by using direct requests to library scripts that do not use grab_globals.php, then modifying certain configuration values for the theme.

Vulnerable Configurations

Part Description Count
Application
Phpmyadmin
1

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200510-21.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200510-21 (phpMyAdmin: Local file inclusion and XSS vulnerabilities) Stefan Esser discovered that by calling certain PHP files directly, it was possible to workaround the grab_globals.lib.php security model and overwrite the $cfg configuration array. Systems running PHP in safe mode are not affected. Futhermore, Tobias Klein reported several cross-site-scripting issues resulting from insufficient user input sanitizing. Impact : A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. Furthermore, the cross-site scripting issues give a remote attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id20103
    published2005-10-28
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/20103
    titleGLSA-200510-21 : phpMyAdmin: Local file inclusion and XSS vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200510-21.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20103);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2005-3300", "CVE-2005-3301");
      script_bugtraq_id(15169);
      script_xref(name:"GLSA", value:"200510-21");
    
      script_name(english:"GLSA-200510-21 : phpMyAdmin: Local file inclusion and XSS vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200510-21
    (phpMyAdmin: Local file inclusion and XSS vulnerabilities)
    
        Stefan Esser discovered that by calling certain PHP files directly, it
        was possible to workaround the grab_globals.lib.php security model and
        overwrite the $cfg configuration array. Systems running PHP in safe
        mode are not affected. Futhermore, Tobias Klein reported several
        cross-site-scripting issues resulting from insufficient user input
        sanitizing.
      
    Impact :
    
        A local attacker may exploit this vulnerability by sending malicious
        requests, causing the execution of arbitrary code with the rights of
        the user running the web server. Furthermore, the cross-site scripting
        issues give a remote attacker the ability to inject and execute
        malicious script code or to steal cookie-based authentication
        credentials, potentially compromising the victim's browser.
      
    Workaround :
    
        There is no known workaround for all those issues at this time."
      );
      # http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-5
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.phpmyadmin.net/security/PMASA-2005-5/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200510-21"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All phpMyAdmin users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=dev-db/phpmyadmin-2.6.4_p3'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:phpmyadmin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/10/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-db/phpmyadmin", unaffected:make_list("ge 2.6.4_p3"), vulnerable:make_list("lt 2.6.4_p3"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2005_066.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2005:066 (phpMyAdmin). The MySQL configuration frontend phpMyAdmin was updated to fix the following security problems which can be remotely exploited: - Multiple cross-site scripting (XSS) bugs (CVE-2005-3301, CVE-2005-2869, PMASA-2005-5). - Multiple file inclusion vulnerabilities that allowed an attacker to include arbitrary files (CVE-2005-3300, CVE-2005-3301, PMASA-2005-5).
    last seen2019-10-28
    modified2005-11-21
    plugin id20240
    published2005-11-21
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20240
    titleSUSE-SA:2005:066: phpMyAdmin
  • NASL familyCGI abuses
    NASL idPHPMYADMIN_264PL3.NASL
    descriptionThe version of phpMyAdmin installed on the remote host is affected by a local file inclusion vulnerability that can be exploited by an unauthenticated attacker to read arbitrary files, and possibly even to execute arbitrary PHP code on the affected host subject to the permissions of the web server user id. In addition, the application fails to sanitize user-supplied input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id20088
    published2005-10-26
    reporterThis script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/20088
    titlephpMyAdmin < 2.6.4-pl3 Multiple Vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-880.NASL
    descriptionSeveral cross-site scripting vulnerabilities have been discovered in phpmyadmin, a set of PHP-scripts to administrate MySQL over the WWW. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2005-2869 Andreas Kerber and Michal Cihar discovered several cross-site scripting vulnerabilities in the error page and in the cookie login. - CVE-2005-3300 Stefan Esser discovered missing safety checks in grab_globals.php that could allow an attacker to induce phpmyadmin to include an arbitrary local file. - CVE-2005-3301 Tobias Klein discovered several cross-site scripting vulnerabilities that could allow attackers to inject arbitrary HTML or client-side scripting. The version in the old stable distribution (woody) has probably its own flaws and is not easily fixable without a full audit and patch session. The easier way is to upgrade it from woody to sarge.
    last seen2020-06-01
    modified2020-06-02
    plugin id22746
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22746
    titleDebian DSA-880-1 : phpmyadmin - several vulnerabilities