Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability

From: Stefan Esser (sesserhardened-php.net)
Date: Thu Nov 02 2006 - 02:10:38 CST

Hash: SHA1

                        Hardened-PHP Project

                      -= Security Advisory =-

     Advisory: phpMyAdmin - error.php XSS Vulnerability
 Release Date: 2006/11/02
Last Modified: 2006/11/02
       Author: Stefan Esser [sesserhardened-php.net]

  Application: phpMyAdmin <=
     Severity: XSS vulnerability in an error displaying script
         Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_122006.137.html


   Quote from http://www.phpmyadmin.net
   "phpMyAdmin is a tool written in PHP intended to handle the
   administration of MySQL over the Web. Currently it can create and
   drop databases, create/drop/alter tables, delete/edit/add fields,
   execute any SQL statement, manage keys on fields, manage privileges,
   export data into various formats and is available in 50 languages."

   It was discovered that phpMyAdmin comes with a script to display
   error messages that supports displaying the error in a user supplied
   charset. Unfortunately the encoding of the error message is not
   taking the charset into account which can result into XSS when UTF-7
   is selected. (Other charsets like US-ASCII can also be used to
   exploit this in some browsers.)
   To trigger this XSS vulnerability an attacker just needs to call
   the error displaying script with charset=utf-7 and utf-7 encoded
   HTML tags in the error message.

Proof of Concept:

   The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.

Disclosure Timeline:

   18. October 2006 - Contacted phpMyAdmin developers by email
   01. November 2006 - Updated phpMyAdmin was released
   02. November 2006 - Public Disclosure


   It is strongly recommended to upgrade to the newest version of
   phpMyAdmin which you can download at:




   pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.4.3 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/