Re: phpmyadmin / PMASA-2016-60

To: debian-lts@lists.debian.org
Subject: Re: phpmyadmin / PMASA-2016-60
From: Brian May <bam@debian.org>
Date: Fri, 09 Dec 2016 18:28:53 +1100
Message-id: <[🔎] 874m2d4l3e.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 877f7a3x26.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 877f7a3x26.fsf@prune.linuxpenguins.xyz>

Brian May <bam@debian.org> writes:

> Ok, so I have had one more idea since typing this out. Possibly the
> problem is that the user is connecting as something like
> "root\0fudge". This results in the user connecting to mysql as "root" -
> assuming the mysql functions have this vulnerability" but we think the
> user is connecting as "root\0fudge" so the don't apply the rules for
> "root".

Looks like that was it, I can produce under wheezy.

This means for example it is possible to log in as "root%00something"
(were %00 is the null byte, not the encoding) and roots password and
gain root priviledges even if you have configured phpmyadmin not to
allow logins as root.

You still do need the root password however.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>

References:
- phpmyadmin / PMASA-2016-60
  - From: Brian May <bam@debian.org>

Prev by Date: phpmyadmin / PMASA-2016-60
Next by Date: Re: [SECURITY] [DLA 737-1] roundcube security update
Previous by thread: phpmyadmin / PMASA-2016-60
Next by thread: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Index(es):
- Date
- Thread