exploit the possibilities

phpMyAdmin 3.3.9 Brute Force / Path Disclosure

phpMyAdmin 3.3.9 Brute Force / Path Disclosure
Posted Feb 28, 2011
Authored by MustLive

phpMyAdmin versions 3.3.9 and below suffers from brute force and path disclosure vulnerabilities.

tags | advisory, cracker, vulnerability, info disclosure
advisories | CVE-2011-0986
MD5 | 6e8fae2af8d9530fd34944a378dabe95

phpMyAdmin 3.3.9 Brute Force / Path Disclosure

Change Mirror Download
Hello list!

I want to warn you about Brute Force and Full path disclosure
vulnerabilities in phpMyAdmin.

CVE id: CVE-2011-0986.

WASC ids: WASC-11, WASC-13.

CWE ids: CWE-661, CWE-200.

-------------------------
Affected products:
-------------------------

Vulnerable are phpMyAdmin 3.3.9 and previous versions and phpMyAdmin
2.11.11.1 and previous versions. All applications (such as XAMPP), which are
using phpMyAdmin, are also vulnerable.

Full path disclosure vulnerabilities were fixed by developers in versions
3.3.9.1 and 2.11.11.2.

----------
Details:
----------

Brute Force (WASC-11):

http://site/phpmyadmin/

In login form there is no protection from Brute Force attacks.

Full path disclosure (WASC-13):

http://site/phpmyadmin/readme.php (if there is no README file in folder
phpmyadmin)

http://site/phpmyadmin/changelog.php (if there is no ChangeLog file in
folder phpmyadmin)

http://site/phpmyadmin/license.php (if there is no LICENSE file in folder
phpmyadmin)

------------
Timeline:
------------

2011.01.25 - announced at my site.
2011.01.26 - informed developers.
2011.01.31 - received answer from developers.
2011-02-01 - I gave developers additional argumentations and recommendations
about fixing Brute Force and Full path disclosure holes and privately
informed about all those Fingerprinting (WASC-45) holes in phpMyAdmin.
2011-02-08 - developers fixed FPD holes
(http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php).
2011.02.28 - disclosed at my site.

I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/4872/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close