The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpMyAdmin 2.6.4 and 2.6.4-pl1 Local file inclusion vulnerability

Discussion in 'Database Discussions' started by thewishbone, Oct 19, 2005.

  1. thewishbone

    thewishbone Active Member

    Joined:
    Aug 7, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Hi i read this and i want to know if we have to upgrade to the new verion of PHPMyAdmin 2.6.4-pl2:

    Announcement-ID: PMASA-2005-4
    Date: 2005-10-11

    Summary:
    Local file inclusion vulnerability

    Description:
    In libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated, opening the door to a local file inclusion attack.


    Severity:
    We consider this vulnerability to be serious. However, it can be exploited only on systems not running in PHP safe mode (unless a deliberate hole was opened by including in open_basedir some paths containing sensitive data).

    Affected versions:
    phpMyAdmin versions 2.6.4 and 2.6.4-pl1.

    Solution:
    Upgrade to phpMyAdmin 2.6.4-pl2 or newer.
     
  2. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    All depends on your Server security by the looks of things.

    Just more good reasons why always running PHP in 'safe_mode' and 'open_basedir' restrictions turned ON, just makes a whole lotta sense.
     
  3. thewishbone

    thewishbone Active Member

    Joined:
    Aug 7, 2005
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    And how we know if really needs to do it? we try this bug...and works

    thanks
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    You need to follow the cPanel changelog, this has been incorporated into the release tree (have a look on http://layer1.cpanel.net).

    Do bear in mind that to run phpmyadmin that comes with cPanel you do need to have a valid cPanel login to access it.
     
  5. PvUtrix

    PvUtrix Well-Known Member

    Joined:
    Mar 12, 2005
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Ekaterinburg - Russia
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page