phpMyAdmin security announcement PMASA-2003-1
Announcement-ID: PMASA-2003-1
Date: 2003-06-18
Summary:
Several security issues were reported to BugTraq mailing list. However
most of these issues were already fixed some time ago.
Description:
Reporter wrote that he found following issues within phpMyAdmin code
(each issue is followed by our comment):
- Directory transversal attack - Already fixed in 2.5.0 release
- Remote local file retrieving - Author didn't show any proof of this
- Remote internal directory listing - It was possible to retrieve
listing of phpMyAdmin directory, however content of this directory is
publicly known. This was fixed for upcoming 2.5.2 release.
- XSS and Path disclosures - Most of these issues were fixed in 2.5.0
release, however some of these were still there and these will be
fixed in upcoming 2.5.2 release.
- Information encoding weakness - We believe that an exploit for this
weakness would be difficult to achieve. However version 2.5.2 now
encrypts the password with the well-known blowfish algorithm.
Severity:
Only really problematic issue in current versions is XSS attack, which
in combination with clever javascript could be used to steal
authentication, but this would require to force user to click on link
supplied by attacker. Therefore we consider this issue as important.
Affected versions:
All releases up to and not including 2.5.2. See description for more
details about this.
Unaffected versions:
CVS HEAD has been fixed.
The upcoming 2.5.2 release.
Solution:
We strongly advise everyone to upgrade to CVS HEAD or to the next
version of phpMyAdmin, which is to be released soon.
References:
http://www.securityfocus.com/archive/1/325641
For further information and in case of questions, please contact the
phpMyAdmin team. Our website is
http://www.phpmyadmin.net.
