The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New phpMyAdmin exploit - (remote code execute)

Discussion in 'Security' started by ASTRAPI, Jul 9, 2011.

  1. ASTRAPI

    ASTRAPI Well-Known Member

    Joined:
    Jul 8, 2008
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Today a new exploit for phpMyAdmin is out.

    # Tested on: 3.1.1, 3.2.1, 3.4.3
    # CVE: CVE-2011-2505, CVE-2011-2506
    # Date: 2011-07-08

    Latest cpanel version of phpmyadmin is : 3.3.10.1

    Any info if that exploit works with this version and how we can protect from it?

    Thank you
     
  2. ASTRAPI

    ASTRAPI Well-Known Member

    Joined:
    Jul 8, 2008
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Another exloit is out today:

    Remote Code Injection Exploit

    # Date: 2011-07-09
    # Version: phpMyAdmin < 3.3.10.2 || phpMyAdmin < 3.4.3.1
    # CVE : CVE-2011-2505, CVE-2011-2506

    Any way to prevent those attacks?
     
  3. ASTRAPI

    ASTRAPI Well-Known Member

    Joined:
    Jul 8, 2008
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    How can i update only the phpMyAdmin to the latest version 3.3.10.2 ?

    Now i am using the 3.3.10.1 .
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    3.3.10.1 is the latest available in cPanel at this time. This will be updated via the cPanel updating process.
     
  5. rlshosting

    rlshosting Well-Known Member

    Joined:
    Apr 23, 2009
    Messages:
    170
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United States
    cPanel Access Level:
    Root Administrator
    They need to release updates faster when security is involved. They can't take chances.
     
  6. ASTRAPI

    ASTRAPI Well-Known Member

    Joined:
    Jul 8, 2008
    Messages:
    321
    Likes Received:
    0
    Trophy Points:
    16
    Let's hope to get this update soon.

    A new cpanel exploit is out today also :(

    Privilege Escalation Exploit

    Let's hope cpanel updates fast.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,474
    Likes Received:
    202
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just to add here, if you read of an exploit somewhere and are concerned about the security of yours/our servers, posting to these forums is probably one of the last places you should be bothering to announce it.

    Report it instead: http://go.cpanel.net/bugs

    In doing so you bring it to the attention of the team far faster than posting here on the forums where the cPanel developers do not visit as often as one might think.

    Don't get me wrong here, thanks for bringing these up. But these forums are not the best way to get directly to the cPanel security team or the Developers. This is: http://go.cpanel.net/bugs

    Thanks.
     
  8. cPanelDavidN

    cPanelDavidN Integration Developer
    Staff Member

    Joined:
    Dec 17, 2009
    Messages:
    571
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    @Astrapi
    I assume that you're referencing cPanel 11.x Privilege Escalation Exploit ...that "exploit" has nothing to do with this thread. (and actually, it's a vulnerability in Fantastico, not cPanel. cPanel does not ship Fantastico.) If you'd like to address that report, please open a separate thread.

    @All
    cPanel's phpMyAdmin has been updated to 3.3.10.2 and will be available in the next 11.30 revision. You can look for case 51250 in the changelog.

    You can also manually patch phpMyAdmin with the security patches they provide. For the CVE that are named earlier in this thead, you'd want the 3.3 family patches on this page and this page.

    Regards,
    -DavidN
     
  9. chposter

    chposter Active Member

    Joined:
    May 9, 2011
    Messages:
    39
    Likes Received:
    1
    Trophy Points:
    8
    HI,

    Are you planing to release the phpmyadmin update to 11.28 ? Or there is any method to update it manually? Sometimes you cant update to last version when it enters in stable (Yesterday)

    THanks
     
    #9 chposter, Jul 14, 2011
    Last edited: Jul 14, 2011
  10. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    manually as soon as i know in order to update
    /usr/local/cpanel/bin/updatephpmyadmin --force
     
  11. cPanelDavidN

    cPanelDavidN Integration Developer
    Staff Member

    Joined:
    Dec 17, 2009
    Messages:
    571
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    As of 7/13/2011, all tier targets ('STABLE','RELEASE', etc) point to cPanel 11.30.1.4 which ships with PMA 3.3.10.2. So, the next upcp should update you version of PMA (provided you haven't disabled updates entirely).

    -DavidN

    PS. you can verify features and bugfixes are in a cPanel version by browsing the changelog or subscribing to the changelog atom feed.
     
Loading...

Share This Page