[thelist] Fwd: phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1

Anthony Baratta Anthony at Baratta.com
Mon Apr 23 12:50:32 CDT 2001


FYI....

>Date:         Tue, 24 Apr 2001 00:15:00 +1000
>Sender: Bugtraq List <BUGTRAQ at SECURITYFOCUS.COM>
>From: Asher Glynn <asher at SECUREREALITY.COM.AU>
>Organization: Secure Reality Pty Ltd
>Subject:      (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1
>
>=================================================
>Secure Reality Pty
>Ltd. Security Pre-Advisory #1 (SRPRE00001)
>http://www.securereality.com.au
>=================================================
>
>[Title]
>Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
>
>[Released]
>23/4/2001
>
>This is a pre-release. This vulnerability will be discussed in detail during
>Shaun Clowes' speech at the Black Hat briefings in Asia in the week of the
>23rd of April. A full advisory will be issued following the conference
>
>[Vulnerable]
>phpMyAdmin 2.1.0
>phpPgAdmin 2.2.1
>
>All prior versions are almost certainly vulnerable but not tested
>
>[Impact]
>Remote command execution by unauthenticated remote users
>
>[Fix]
>The Authors have not yet been able to correct the issues in mainstream
>versions. SecureReality is providing patches for the problems, no liability
>for the performance or effectiveness of these patches is accepted.
>
>phpPgAdmin 2.2.1:
>http://www.securereality.com.au/patches/phpPgAdmin-SecureReality.diff
>phpMyAdmin 2.2.0:
>http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff
>
>Users of earlier versions are advised to upgrade to the versions specified
>then apply the patches.
>
>To apply the patches:
>  - cd to the directory in which the application files are stored (e.g
>    /home/httpd/html/phpMyAdmin/)
>  - run 'patch -p0 < *Path to patch filename*'
>
>[Disclaimer] Advice, directions and instructions on security
>vulnerabilities in this advisory do not constitute: an endorsement of
>illegal behavior; a guarantee that protection measures will work; an
>endorsement of any product or solution or recommendations on behalf of
>Secure Reality Pty Ltd. Content is provided as is and Secure Reality
>Pty Ltd does not accept responsibility for any damage or injury caused
>as a result of its use.





More information about the thelist mailing list