phpMyAdmin bug: reading any files on the server
Published: 2008-04-22
Updated: 2008-04-27
Affected versions: 2.11.5.1 and lower
Affected os: all
Risk: Medium
Solution: upgrade to 2.11.5.2 or newer
Author: Cezary Tomczak ()
Description:
After logging in to phpMyAdmin, and with permission to CREATE tables, there is a bug that allows reading any files on the server (that the web server's user can access).
This bug is especially dangerous on shared hosting, when different sites share the same mysql server. If site1 has phpmyadmin installed, and user2 from site2 knows the path to that phpmyadmin installation, he can log in using site2 database, and read any files from site1.
There is no plan to release the full exploit.
phpMyAdmin security announcement: PMASA-2008-3
Update
It comes out that windows is also vulnerable to this exploit (it allows opening files using POSIX-style path). Thanks to Marcin Kosieradzki for this info.