nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security alert

Browse Source
This commit is contained in:
Marc Delisle
2004-06-30 18:29:41 +00:00
parent 5dd5999d7f
commit d743dfc5cc
3 changed files with 69 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
$Id$ $Id$
$Source$ $Source$
2004-06-30 Marc Delisle <lem9@users.sourceforge.net>
* left.php: fix against security alert, thanks to Garvin
2004-06-30 Alexander M. Turek <me@derrabus.de> 2004-06-30 Alexander M. Turek <me@derrabus.de>
* libraries/common.lib.php: Fix against $_REQUEST['cfg'] exploits. * libraries/common.lib.php: Fix against $_REQUEST['cfg'] exploits.

35
Documentation.html
View File

@@ -3766,6 +3766,41 @@ To create a new, empty mimetype please see libraries/transformations/template_ge
<br /><br /> <br /><br />
</li> </li>
</ul> </ul>
<h4>
[8.2] Security alert, dated 2004-06-29.
</h4>
<p>
Last update of this FAQ: 2004-06-30.
<br /><br />
The phpMyAdmin development team received notice of this security alert:
<a href="http://securityfocus.com/archive/1/367486/2004-06-26/2004-07-02/0" target="_blank">http://securityfocus.com/archive/1/367486/2004-06-26/2004-07-02/0</a>
<br /><br />
We would like to put emphasis on the disappointment we feel when a
bugreporter does not contact the authors of a software first, before
posting any exploits. The common way to report this, is to give the
developers a reasonable amount of time to respond to an exploit before
it is made public.
<br /><br />
We acknowledge that phpMyAdmin versions 2.5.1 to 2.5.7 are vulnerable
to this problem, if each of the following conditions are met:
</p>
<ul>
<li>
The Web server hosting phpMyAdmin is not running in safe mode.
</li>
<li>
In config.inc.php, <tt>$cfg['LeftFrameLight']</tt> is set to FALSE
(the default value of this parameter is TRUE).
</li>
<li>
There is no firewall blocking requests from the Web server to the
attacking host.
</li>
</ul>
<p>
<br />
Version 2.5.7-pl1 was released with a fix for this vulnerability.
</p>
<!-- DEVELOPERS --> <!-- DEVELOPERS -->
<a name="developers"></a><br /> <a name="developers"></a><br />

48
left.php
View File

@@ -45,6 +45,22 @@ require_once('./libraries/bookmark.lib.php');
require_once('./libraries/relation.lib.php'); require_once('./libraries/relation.lib.php');
$cfgRelation = PMA_getRelationsParam(); $cfgRelation = PMA_getRelationsParam();
function PMA_multimerge(&$stack, &$table) {
global $list_item, $table_item;
$key = array_shift($table);
if (count($table) > 0) {
if (!isset($stack[$key])) {
$stack[$key] = '';
}
PMA_multimerge($stack[$key], $table);
} else {
$stack['pma_name'][] = $table_item;
$stack['pma_list_item'][] = $list_item;
}
}
function PMA_reduceNest($_table) { function PMA_reduceNest($_table) {
if ($GLOBALS['cfg']['LeftFrameTableLevel'] > 0) { if ($GLOBALS['cfg']['LeftFrameTableLevel'] > 0) {
@@ -52,7 +68,7 @@ function PMA_reduceNest($_table) {
$temp_table = $_table; $temp_table = $_table;
$new_table = array(); $new_table = array();
$last_index = 0; $last_index = 0;
for ($ti = 0; $ti < $max; $ti++) { for ($ti = 0; $ti <= $max; $ti++) {
if (isset($temp_table[$ti])) { if (isset($temp_table[$ti])) {
$new_table[$ti] = $temp_table[$ti]; $new_table[$ti] = $temp_table[$ti];
unset($temp_table[$ti]); unset($temp_table[$ti]);
@@ -325,7 +341,7 @@ echo "\n";
<?php <?php
if ($cfg['LeftDisplayLogo'] && !$cfg['QueryFrame']) { if ($cfg['LeftDisplayLogo'] && !$cfg['QueryFrame']) {
?> ?>
<!-- phpMyAdmin logo --> <!-- phpMyAdmin logo -->
<?php <?php
if (@file_exists($pmaThemeImage . 'logo_left.png')) { if (@file_exists($pmaThemeImage . 'logo_left.png')) {
@@ -381,7 +397,7 @@ if (!$cfg['QueryFrame']) {
. '<img src="' . $pmaThemeImage . 'b_sqlhelp.png" border="0" hspace="1" width="16" height="16" alt="MySQL - ' . $strDocu . '" title="MySQL - ' . $strDocu . '"' . '<img src="' . $pmaThemeImage . 'b_sqlhelp.png" border="0" hspace="1" width="16" height="16" alt="MySQL - ' . $strDocu . '" title="MySQL - ' . $strDocu . '"'
.' onmouseover="this.style.backgroundColor=\'#ffffff\';" onmouseout="this.style.backgroundColor=\'\';" align="absmiddle" />' .' onmouseover="this.style.backgroundColor=\'#ffffff\';" onmouseout="this.style.backgroundColor=\'\';" align="absmiddle" />'
. '</a>'; . '</a>';
} }
?> ?>
</div> </div>
<hr /> <hr />
@@ -423,7 +439,7 @@ if ($num_dbs > 1) {
<?php <?php
echo PMA_generate_common_hidden_inputs(); echo PMA_generate_common_hidden_inputs();
echo ' <input type="hidden" name="hash" value="' . $hash . '" />' . "\n"; echo ' <input type="hidden" name="hash" value="' . $hash . '" />' . "\n";
echo ' <span class="heada"><b>' . $strDatabase . ':</b></span><br />'; echo ' <span class="heada"><b>' . $strDatabase . ':</b></span><br />';
echo ' <select name="lightm_db" onchange="this.form.submit()">' . "\n"; echo ' <select name="lightm_db" onchange="this.form.submit()">' . "\n";
echo ' <option value="">(' . $strDatabases . ') ...</option>' . "\n"; echo ' <option value="">(' . $strDatabases . ') ...</option>' . "\n";
} // end !$cfg['QueryFrame'] } // end !$cfg['QueryFrame']
@@ -561,13 +577,12 @@ if ($num_dbs > 1) {
$_table[$key] = '__protected__'; $_table[$key] = '__protected__';
} }
} }
unset($_table[count($_table)-1]);
$_table = PMA_reduceNest($_table); $_table = PMA_reduceNest($_table);
$eval_string = '$tablestack[\'' . implode('\'][\'', $_table) . '\'][\'pma_name\'][] = \'' . str_replace('\'', '\\\'', $table_item) . '\';'; if (count($_table) == 1) {
$eval_string .= '$tablestack[\'' . implode('\'][\'', $_table) . '\'][\'pma_list_item\'][] = \'' . str_replace('\'', '\\\'', $list_item) . '\';'; array_unshift($_table, '');
eval($eval_string); }
PMA_multimerge($tablestack, $_table);
} else { } else {
$tablestack['']['pma_name'][] = $table_item; $tablestack['']['pma_name'][] = $table_item;
$tablestack['']['pma_list_item'][] = $list_item; $tablestack['']['pma_list_item'][] = $list_item;
@@ -577,12 +592,12 @@ if ($num_dbs > 1) {
$tablestack['']['pma_list_item'][] = $list_item; $tablestack['']['pma_list_item'][] = $list_item;
} }
} // end while (tables list) } // end while (tables list)
PMA_nestedSet($j, $tablestack); PMA_nestedSet($j, $tablestack);
?> ?>
</div> </div>
<?php <?php
echo "\n"; echo "\n";
} }
// Light mode -> displays the select combo with databases names and the // Light mode -> displays the select combo with databases names and the
@@ -642,10 +657,10 @@ if ($num_dbs > 1) {
} // end if... else... } // end if... else...
if (!$cfg['QueryFrame']) { if (!$cfg['QueryFrame']) {
if (!empty($num_tables)) { if (!empty($num_tables)) {
echo ' <option value="' . htmlspecialchars($db) . '"' . $selected . '>' echo ' <option value="' . htmlspecialchars($db) . '"' . $selected . '>'
. ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (' . $num_tables . ')</option>' . "\n"; . ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (' . $num_tables . ')</option>' . "\n";
} else { } else {
echo ' <option value="' . htmlspecialchars($db) . '"' . $selected . '>' echo ' <option value="' . htmlspecialchars($db) . '"' . $selected . '>'
. ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (-)</option>' . "\n"; . ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (-)</option>' . "\n";
} }
} // end !$cfg['QueryFrame'] } // end !$cfg['QueryFrame']
@@ -828,13 +843,12 @@ else if ($num_dbs == 1) {
$_table[$key] = '__protected__'; $_table[$key] = '__protected__';
} }
} }
unset($_table[count($_table)-1]);
$_table = PMA_reduceNest($_table); $_table = PMA_reduceNest($_table);
$eval_string = '$tablestack[\'' . implode('\'][\'', $_table) . '\'][\'pma_name\'][] = \'' . str_replace('\'', '\\\'', $table_item) . '\';'; if (count($_table) == 1) {
$eval_string .= '$tablestack[\'' . implode('\'][\'', $_table) . '\'][\'pma_list_item\'][] = \'' . str_replace('\'', '\\\'', $list_item) . '\';'; array_unshift($_table, '');
eval($eval_string); }
PMA_multimerge($tablestack, $_table);
} else { } else {
$tablestack['']['pma_name'][] = $table_item; $tablestack['']['pma_name'][] = $table_item;
$tablestack['']['pma_list_item'][] = $list_item; $tablestack['']['pma_list_item'][] = $list_item;