OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Asher Glynn (asherSECUREREALITY.COM.AU)
Date: Mon Apr 23 2001 - 09:15:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    =================================================
    Secure Reality Pty
    Ltd. Security Pre-Advisory #1 (SRPRE00001)
    http://www.securereality.com.au
    =================================================

    [Title]
    Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin

    [Released]
    23/4/2001

    This is a pre-release. This vulnerability will be discussed in detail during
    Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the
    23rd of April. A full advisory will be issued following the conference

    [Vulnerable]
    phpMyAdmin 2.1.0
    phpPgAdmin 2.2.1

    All prior versions are almost certainly vulnerable but not tested

    [Impact]
    Remote command execution by unauthenticated remote users

    [Fix]
    The Authors have not yet been able to correct the issues in mainstream
    versions. SecureReality is providing patches for the problems, no liability
    for the performance or effectiveness of these patches is accepted.

    phpPgAdmin 2.2.1:
    http://www.securereality.com.au/patches/phpPgAdmin-SecureReality.diff
    phpMyAdmin 2.2.0:
    http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff

    Users of earlier versions are advised to upgrade to the versions specified
    then apply the patches.

    To apply the patches:
     - cd to the directory in which the application files are stored (e.g
       /home/httpd/html/phpMyAdmin/)
     - run 'patch -p0 < *Path to patch filename*'

    [Disclaimer] Advice, directions and instructions on security
    vulnerabilities in this advisory do not constitute: an endorsement of
    illegal behavior; a guarantee that protection measures will work; an
    endorsement of any product or solution or recommendations on behalf of
    Secure Reality Pty Ltd. Content is provided as is and Secure Reality
    Pty Ltd does not accept responsibility for any damage or injury caused
    as a result of its use.