|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , Information Encoding Weakness and Path Disclosures
From: Lorenzo Manuel Hernandez Garcia-Hierro (security
lorenzohgh.com)
Date: Wed Jun 18 2003 - 11:33:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack ,
Information Encoding Weakness and Path Disclosures
--------------------
Product: phpMyAdmin
Vendor: phpMyAdmin Development Team
Versions:
VULNERABLE
- 2.5.2 CVS ( in Development )
- 2.5.x
- 2.4.x
- 2.3.x
- 2.2.x
- 2.1.x
- 2.0.x
- 1.x.x
NOT VULNERABLE
- ?
Advisory: NSRG-15-7
---------------------
Description:
phpMyAdmin is a tool written in PHP intended to handle the administration
of MySQL over the WWW. Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields, execute any SQL
statement, manage keys on fields.
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered Cross Site Scripting Vulnerabilities and Path Disclosures
in some files of the phpMyAdmin
installation , with this files , sending a specially crafted url you can
execute commands in the client
side only and show the local path of the phpMyAdmin installation. The
failures are related to a input validation flaw
and a inproper configuration of php.ini and php configuration declare
library ( declare_php.lib.php )in phpMyAdmin for the errors flags.
I encountered a very dangerous transversal directory attack in a docSQL
import system too.
I discover that phpMyAdmin don't encode the mysql user and password , it
save the data in plain text without encoding !.
-------------------------------
| XSS AND PATH DISCLOSURES |
-------------------------------
The affected files of the XSS attack ( Cross Site Scripting ) and Path
Disclosure are:
- sql.php / sql.php3 - Path Disclosure & XSS-
- pdf_schema.php - Path Disclosure & XSS-
- pdf_pages.php - Path Disclosure & XSS-
- ldi_table.php - Path Disclosure & XSS-
- mult_submits.inc.php - Path Disclosure & XSS-
- chk_rel.php - Path Disclosure -
- db_create.php - Path Disclosure -
- db_datadict.php - Path Disclosure & XSS-
- db_details.php - Path Disclosure -
- db_details_common.php- Path Disclosure -
- db_details_db_info.php - Path Disclosure -
- db_details_export.php - Path Disclosure -
- db_details_structure.php - Path Disclosure -
- db_printview.php - Path Disclosure & XSS-
- db_search.php - Path Disclosure -
- header_printview.inc.php - Path Disclosure -
- ldi_check.php - Path Disclosure -
- read_dump.php - Path Disclosure & XSS-
- tbl_addfield.php - Path Disclosure -
- tbl_alter.php - Path Disclosure -
- tbl_create.php - Path Disclosure -
- tbl_dump.php - Path Disclosure -
- tbl_move_copy.php - Path Disclosure -
- tbl_printview.php - Path Disclosure -
- tbl_properties.inc.php - Path Disclosure -
- tbl_properties.php -Path Disclosure -
- tbl_properties_common.php -Path Disclosure -
- tbl_properties_export.php -Path Disclosure -
- tbl_properties_links.php -Path Disclosure -
- tbl_properties_operations.php -Path Disclosure -
- tbl_properties_options.php -Path Disclosure -
- tbl_properties_table_info.php -Path Disclosure -
- tbl_query_box.php -Path Disclosure -
- tbl_relation.php -Path Disclosure -
- tbl_rename.php -Path Disclosure -
- tbl_replace.php -Path Disclosure -
- tbl_select.php -Path Disclosure -
NOTE: The Path Disclosures occur when you access directly the affected
file without any QUERY_STRING needing a valid session.
The XSS can executed passing crafted query_strings to the php scripts ,
see Samples for more info about this.
VULNERABLE FILES TO PATH DISCLOSURES And XSS THAT DOESN'T NEED A VALID
SESSION :
- libraries/auth/[cookie.auth.lib.php] - Path Disclosure -
- libraries/xpath/[XPath.class.php] - Path Disclosure -
- libraries/[ip_allow_deny.lib.php] - Path Disclosure -
- libraries/[select_lang.lib.php] - Path Disclosure -
- libraries/sqlparser.lib.php - Path Disclosure -
- libraries/db_table_exists.lib.php - Path Disclosure -
-----------------------------------
| DIRECTORY TRANSVERSAL ATTACK & |
| REMOTE LOCAL FILE RETRIEVING & |
| REMOTE INTERNAL DIRECTORY LISTING
-----------------------------------
I found a dangerous transversal directory attack in the file called
db_details_importdocsql.php ( file import
systems ) , i explain this failure in the Proof of Concept:
____Proof of Concept______
You must send a crafted request to the db_details_importdocsql.php file :
http://localhost/mysql/db_details_importdocsql.php?
submit_show=true&do=import&docpath=[YOUR TRANSVERSAL DIRECTORY ATTACK]
If you want to do a internal directory listing you must do this request:
http://localhost/mysql/db_details_importdocsql.php?
submit_show=true&do=import&docpath=../../../
With this request you can list the internal directories in the root dir
in a win installation ( normally c:\ ).
Note that you can't request files ( only dirs ) with
db_details_importdocsql.php if you attempt to get a file you get this
message: This was not a Directory .
SAMPLE RESULT OF A CGI-BIN DIRECTORY LISTED WITH THIS ATTACK:
Server iamnottotallysecured.not
Ignoring the file .
Ignoring the file ..
Ignoring the file phf.cgi // ;-)
Ignoring the file dumpenv.pl
Ignoring the file test-cgi // ;-)
Ignoring the file testcgi.pl // ;-D
Ignoring the file wwwboard.pl
Ignoring the file count.cgi
Ignoring the file php.cgi // ;-D
Ignoring the file passwd.pl
Ignoring the file admin.cgi
Ignoring the file ftp.cgi
Ignoring the file formmail.pl // ;-D
Ignoring the file proxy.pl
_______
Samples:
"""""""
Note that this paths are from my personal server in my testing lab:
The target user or you must be logged in for run the attacks :
http://localhost/mysql/sql.php?sql_query=">..<h1>XSS ! Oh my God!</h1>
http://localhost/mysql/db_datadict.php?db=XSS
http://localhost/mysql/db_details_importdocsql.php?
submit_show=true&do=import&docpath=../../../BOOT.ini
http://localhost/mysql/read_dump.php?
db=nonexistent&sql_query="><h1>XSS</h1>
http://localhost/mysql/tbl_properties_links.php?
table_info_num_rows=10&url_query="><h1>XSS
------------------
| INFORMATION |
| ENCODING |
| WEAKNESS |
------------------
phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves
the user data ( username and password too ) in plain text without any
encoding.
The authentication token in the cookie is this:
pma_cookie_username=[UserName]; lang=[language]-iso-8859-1;
pma_cookie_password=[your password]
A sample is:
pma_cookie_username=god; lang=en-iso-8859-1;
pma_cookie_password=doesnotexist
-----------------
| SOLUTIONS ;-p |
-----------------
- First: Redefine the errors flags in php.ini to Off. [Path Disclosures]
- Second: Use a partial / secure encoding for athentication tokens like
RadiX64 ( not very secure but an attacker
can think that is a more secure algorithm , obscurity ;-D ) .
- Three: Review the db_details_importdocsql.php file for prevent
transversal directory attacks and remote local directory listing.
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup : http://security.novappc.com
are you totally secured ?
______________________
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]