FYI.... >Date: Tue, 24 Apr 2001 00:15:00 +1000 >Sender: Bugtraq List <BUGTRAQ at SECURITYFOCUS.COM> >From: Asher Glynn <asher at SECUREREALITY.COM.AU> >Organization: Secure Reality Pty Ltd >Subject: (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1 > >================================================= >Secure Reality Pty >Ltd. Security Pre-Advisory #1 (SRPRE00001) >http://www.securereality.com.au >================================================= > >[Title] >Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin > >[Released] >23/4/2001 > >This is a pre-release. This vulnerability will be discussed in detail during >Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the >23rd of April. A full advisory will be issued following the conference > >[Vulnerable] >phpMyAdmin 2.1.0 >phpPgAdmin 2.2.1 > >All prior versions are almost certainly vulnerable but not tested > >[Impact] >Remote command execution by unauthenticated remote users > >[Fix] >The Authors have not yet been able to correct the issues in mainstream >versions. SecureReality is providing patches for the problems, no liability >for the performance or effectiveness of these patches is accepted. > >phpPgAdmin 2.2.1: >http://www.securereality.com.au/patches/phpPgAdmin-SecureReality.diff >phpMyAdmin 2.2.0: >http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff > >Users of earlier versions are advised to upgrade to the versions specified >then apply the patches. > >To apply the patches: > - cd to the directory in which the application files are stored (e.g > /home/httpd/html/phpMyAdmin/) > - run 'patch -p0 < *Path to patch filename*' > >[Disclaimer] Advice, directions and instructions on security >vulnerabilities in this advisory do not constitute: an endorsement of >illegal behavior; a guarantee that protection measures will work; an >endorsement of any product or solution or recommendations on behalf of >Secure Reality Pty Ltd. Content is provided as is and Secure Reality >Pty Ltd does not accept responsibility for any damage or injury caused >as a result of its use.