Bugtraq mailing list archives
Re: New command execution vulnerability in myPhpAdmin
From: Mark Renouf <mark () tweakt net>
Date: Tue, 31 Jul 2001 17:16:17 -0400
Carl Livitt wrote:
This isn't so much a problem with phpMyAdmin as it is with PHP in general. I would HIGHLY recommend turning off register_globals in php.ini (which is the default in set in php.ini-dist for php4+). With that option disabled, the only thing that passing in extra parameters can do is create entries in the $HTTP_GET_VARS array, and it's not possible to clobber global script variables.--/ Product: phpMyAdmin versions <= 2.2.0rc3 --/ Problem: Arbitrary remote command execution --/ Severity: High --/ Author: Carl Livitt (carl AT ititc DOT com) --/ Date: 31 July 2001
I tested this with my installation of phpMyAdmin 2.1.0 and it is not vulnerable to the attack that you
described, due to the settings I mentioned above.
Current thread:
- New command execution vulnerability in myPhpAdmin Carl Livitt (Jul 31)
- Re: New command execution vulnerability in myPhpAdmin Mark Renouf (Jul 31)
- Re: New command execution vulnerability in myPhpAdmin Heikki Korpela (Jul 31)
- Re: New command execution vulnerability in myPhpAdmin Mark Renouf (Jul 31)