Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

From: "Alice Bryson" <abryson@bytefocus.com.>
To: <bugtraq@securityfocus.com.>
Subject: phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.
Date: Sat, 17 Dec 2005 09:39:36 +0800
MIME-Version: 1.0
Content-Type: text/plain;
        charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcYCqrz3bPnrURduTRe3GJaaHkgXLQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <DEV-LOUIS-WIN4KhAfd00000002@lwang.org.>
X-OriginalArrivalTime: 17 Dec 2005 01:39:37.0109 (UTC) FILETIME=[BD597450:01C602AA]
X-Virus-Scanned: antivirus-gw at tyumen.ru

phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.

I. BACKGROUND
phpMyAdmin is a tool written in PHP intended to handle the =
administration of MySQL over the Web.

II. DESCRIPTION
phpMyAdmin server_privileges.php is prone to SQL Injection =
vulnerability. A remote attacker may execute arbitrary SQL command by =
sending specially-crafted URI to server_privileges.php db_name or =
checkprivs parameter.=20

III. PUBLISH DATE
2005-12-7

IV. AUTHOR
[email protected]

V. AFFECTED SOFTWARE
phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be =
affected.
The following vendors distribute vulnerable phpMyAdmin package:
The FreeBSD Project=20
Gentoo Foundation=20
Novell, Inc. (SuSE)=20
The Debian Project (SuSE)

VI. ANALYSIS
in server_privileges.php
line 27:
if ( isset( $dbname ) ) {
    //if ( preg_match( '/\\\\(?:_|%)/i', $dbname ) ) {
    if ( preg_match( '/(?<!\\\\)(?:_|%)/i', $dbname ) ) {
        $dbname_is_wildcard =3D true;
    } else {
        $dbname_is_wildcard =3D false;
    }
}
parameter $dbname is not validate properly.

line 1197:
if (isset($viewing_mode) && $viewing_mode =3D=3D 'db') {
     $db =3D $checkprivs;
     $url_query .=3D '&amp;goto=3Ddb_operations.php';

     // Gets the database structure
     $sub_part =3D '_structure';
     require('./db_details_db_info.php');
     echo "\n";
} else {
    require('./server_links.inc.php');
}

line 1241:=20
if ( empty( $adduser ) && empty( $checkprivs ) ) {

parameter $checkprivs not validate properly.

VII. Proof of Concept
http://victim/phpmyadmin/server_privileges.php?server=3D1&checkprivs=3D'
http://victim/phpmyadmin/server_privileges.php?server=3D1&hostname=3D'&us=
ername=3D1&dbname=3D1&tablename=3D1

VIII. SOLUTION
I have not contact the vendor, and no aware of any security patch till =
now.

IX. REFERENCE=20
http://www.phpmyadmin.net

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: