phpMyAdmin left.php file code manipulation
| phpmyadmin-code-manipulation (16555) |  Medium Risk |
Description:
phpMyAdmin could allow a remote attacker to modify configuration settings. A remote attacker could supply configuration settings to the left.php file to modify current configuration settings, allowing the attacker to access MySQL servers that were not listed in the original configuration file. An attacker could exploit this vulnerability to launch further attacks against MySQL servers not listed in the original file.
Consequences:
File Manipulation
Remedy:
Upgrade to the latest version of phpmyadmin (2.5.7_p1 or later), as listed in GLSA 200407-22. See References.
References:
- phpMyAdmin Web site: phpMyAdmin - Mysql DB administration tool.
- BID-10629: phpMyAdmin Multiple Input Validation Vulnerabilities
- CVE-2004-2632: phpMyAdmin 2.5.1 up to 2.5.7 allows remote attackers to modify configuration settings and gain unauthorized access to MySQL servers via modified $cfg['Servers'] variables.
- GLSA-200407-22: phpMyAdmin: Multiple vulnerabilities
- OSVDB ID: 7315: phpMyAdmin Arbitrary Database Access
- SA11974: phpMyAdmin Configuration Manipulation and Code Injection
- SECTRACK ID: 1010614: phpMyAdmin Input Validation Errors in `left.php` May Let Remote Users Execute Arbitrary PHP Code
Platforms Affected:
- Gentoo Linux
- phpMyAdmin phpMyAdmin 2.5.7
Reported:
Jun 30, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net