<<< Date Index >>>     <<< Thread Index >>>

Re: [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion



> This bug exist in css/phpmyadmin.css.php. You can
> include files. Error exist in
>
> Code:
> - ------
> $tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .
> $theme . '/css/theme_right.css.php';
> if (@file_exists($tmp_file)) {
> include($tmp_file);
> } // end of include theme_right.css.php
> - ------
>
> And now you can get files.
Incorrect. This is NOT a 'remote' file inclusion(due to the file_exists
call), unless of course the affected user is running >= PHP5.0. It is
usually good practice to state this in an advisory. Please see Appendix L
at http://www.php.net/manual/en/wrappers.php

> 1.1
> Or next include is in libraries/database_interface.lib.php
>
> Code:
>
> - ---
> 18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] .
> '.dbi.lib.php');
> - ---
Also incorrect. The call to require_once passes the absolute path
'./libraries/dbi/' before the variable is involved. This is a LOCAL file
inclusion vulnerability.

> - --- 5.Contact ---
> Author: Maksymilian Arciemowicz
> Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
> Email: max [at] jestsuper [dot] pl
> GPG-KEY: http://security.jestsuper.pl
> http://securityreason.com/ Team
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (FreeBSD)
>
> iD8DBQFCHR89znmvyJCR4zQRAtj3AJ4wxM3WEn56GNohsG3f4U8Ku+/I8wCeMWQr
> YklTAm82iDqNu3so1uYsmEk=
> =ko9x
> -----END PGP SIGNATURE-----
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nullum magnum ingenium sine mixtura dementiae fuit
[There is no great genius without some touch of madness]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune@xxxxxxxxxxx
http://www.fribble.net