(sorry if you receive this message twice).

About the PhpMyadmin Exploit :

It doesnt't work with my configuration :
I'm using PhpMyadmin 2.1.0 and I've modified sql.php3 and
tbl_replace.php3.to correct a previous bug (I'm also using adv_auth).

** sql.php3 **
if($num_rows < 1)
    {
        if(file_exists("./$goto"))
        {
            include("header.inc.php3");
            if(isset($zero_rows) && !empty($zero_rows))
                $message = $zero_rows;
            else
                $message = $strEmptyResultSet;
             include(preg_replace('/\.\.*/', '.', $goto));
        }

instead of:

if(file_exists("$goto"))
...

Regards,
Such Paul

> I. The phpMyAdmin 2.1.0 holes
>
> There's two include() holes in phpMyAdmin 2.1.0 -
> this is the latest version
> but it may work on the older's ones.
> These two holes can be reach with something like this
>:
> =20
> http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/pa
> sswd&btnDrop=3DNo (*)
> and
> =20
> http://www.victim.com/phpMyAdmin/tbl_replace.php?db=3Dt
> est&table=3Dess&goto=3D/etc/passwd
>
> Of course, to exploit this holes, the attacker need
> to be logged on remote
> phpMyAdmin.
>
> These holes come from a line like this :
> 'include($goto);' in sql.php and in
> tbl_replace.php.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]