Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Oct 2005 13:34:42 -0400
From:      Mit Rowe <mit@mitayai.org>
To:        ports@freebsd.org,  security@freebsd.org
Subject:   [Fwd: phpmyadmin vulnerability]
Message-ID:  <434E9AB2.7030209@mitayai.org>
next in thread | raw e-mail | index | archive | help 
This is a multi-part message in MIME format.
--------------040600060800010301050000
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

current port version 2.6.4-pl1 vulnerable


    phpMyAdmin security announcement PMASA-2005-4

Announcement-ID: PMASA-2005-4
Date: 2005-10-11

*Summary*:
Local file inclusion vulnerability

*Description*:
In libraries/grab_globals.lib.php, the $__redirect parameter was not 
correctly validated, opening the door to a local file inclusion attack.

*Severity*:
We consider this vulnerability to be serious. However, it can be 
exploited only on systems not running in PHP safe mode (unless a 
deliberate hole was opened by including in open_basedir some paths 
containing sensitive data).

*Affected versions*:
phpMyAdmin versions 2.6.4 and 2.6.4-pl1.

*Solution:*
Upgrade to phpMyAdmin 2.6.4-pl2 or newer.

For further information and in case of questions, please contact the 
phpMyAdmin team. Our website is http://www.phpmyadmin.net/ 
<http://www.phpmyadmin.net>.


-- 
Will Mitayai Keeso Rowe
Technical Director
9TrackMind, Inc.
mit@9trackmind.com
mobile: +1.416.219 2512


--------------040600060800010301050000
Content-Type: message/rfc822;
 name="phpmyadmin vulnerability"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="phpmyadmin vulnerability"

Return-Path: <audasee@dreaming.org>
X-Original-To: mit@mitayai.org
Delivered-To: mit@mitayai.org
Received: from localhost (localhost [127.0.0.1])
	by av.9trackmind.com (Postfix) with ESMTP id A11D3105104
	for <mit@mitayai.org>; Thu, 13 Oct 2005 13:19:48 -0400 (EDT)
Received: from amavis.9trackmind.com ([127.0.0.1])
	by localhost (dave.toronto-on-ca.9trackmind.c [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id 61383-20 for <mit@mitayai.org>;
	Thu, 13 Oct 2005 13:19:40 -0400 (EDT)
Received: from fep6.cogeco.net (smtp.cogeco.net [216.221.81.25])
	by dave.toronto-on-ca.9trackmind.com (Postfix) with ESMTP
	for <mit@mitayai.org>; Thu, 13 Oct 2005 13:19:37 -0400 (EDT)
Received: from Spinauda (d38-169-123.home1.cgocable.net [72.38.169.123])
	by fep6.cogeco.net (Postfix) with SMTP id 35E41E98
	for <mit@mitayai.org>; Thu, 13 Oct 2005 13:17:25 -0400 (EDT)
Message-ID: <00a601c5d019$fb9a9960$6500a8c0@Spinauda>
From: "AuDaSeE" <audasee@dreaming.org>
To: "Mit Rowe" <mit@mitayai.org>
References: <433808A6.20608@mitayai.org>
Subject: phpmyadmin vulnerability
Date: Thu, 13 Oct 2005 13:17:25 -0400
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: amavisd-new at 9trackmind.com

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4

--------------040600060800010301050000--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?434E9AB2.7030209>