phpmyadmin / PMASA-2016-60
Hello,
I have been looking into PMASA-2016-60 for phpmyadmin, and nothing seems
to be certain.
* There does appear to be security issues with old versions of PHP with
certain functions when passing strings with embedded
nulls. http://www.madirish.net/401
* However as far as I can tell, php in wheezy is not vulnerable.
* Furthermore, these vulnerabilities are suppose to apply when
processing the username. I am having trouble trying to visualize how
an embedded null in the username could result in bypassing access
control lists. Or how a username with an embedded null could get
authenticated even.
* Looking at the code I don't see any of the vulnerable functions
touching username.
* The fix looks easy; however don't like to apply the fix unless I can
say for certain that it does something useful. Which means I need an
exploit. I can't find enough details for this.
Any ideas?
Ok, so I have had one more idea since typing this out. Possibly the
problem is that the user is connecting as something like
"root\0fudge". This results in the user connecting to mysql as "root" -
assuming the mysql functions have this vulnerability" but we think the
user is connecting as "root\0fudge" so the don't apply the rules for
"root".
Out of time now, will need to consider this more.
--
Brian May <bam@debian.org>
Reply to: