---------------------------------------------------------------------------------
| ____ ____.__ __ |
| \ \ / /|__|_______/ |_ __ _______ ___ ___ |
| \ Y / | \_ __ \ __\ | \__ \ \ \/ / |
| \ / | || | \/| | | | // __ \_> < |
| \___/ |__||__| |__| |____/(____ /__/\_ \ |
| \/ \/ |
| Security without illusions |
| www.virtuax.be |
| |
---------------------------------------------------------------------------------
Application: Phpmyadmin
Vulnerable Versions: <= v2.8.1
Vulnerability: XSS
Vendor: http://www.phpmyadmin.net
Vendor Status: notified
Found: 11-01-2007
Public Release Date: 12-01-2007
Last modified: 12-01-2007
Author: AlFa
reference: http://www.virtuax.be/advisories/Advisory1-12012007.txt
=================================================================================
Shouts to Ciri, ShadoW, RedFern, Dreamer and the rest of the Virtuax Community =)
=================================================================================
I. Background
-------------
"phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL
over the Web. Currently it can create and drop databases, create/drop/alter tables,
delete/edit/add fields, execute any SQL statement, manage keys on fields, manage
privileges,export data into various formats and is available in 50 languages."
by phpmyadmin.net
This issue was fixed in phpmyadmin v2.8.2
[quote=changelog]
2006-06-30 Marc Delisle <lem9@users.sourceforge.net>
* libraries/common.lib.php: escape also single quotes
### 2.8.2 released from QA_2_8
2006-06-28 Marc Delisle <lem9@users.sourceforge.net>
* libraries/common.lib.php: escape allowed parameters from non-token
requests
[/quote]
II. Vulnerability
-----------------
Originally phpMyAdmin < 2.6.2-rc1 contained a XSS vulnerability caused due to
missing validation of input supplied to "convcharset" variable (reference:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3). This problem was
solved by sanitizing $convcharset by pulling it trough the PMA_sanitize() function.
However that function only checks for > and < and and neglects quotes in all versions
prior to 2.8.1. Here is some code:
[code=./libraries/common.lib.php]
// XSS
if (isset($convcharset)) {
$convcharset = PMA_sanitize($convcharset);
}
[/code]
[code=./libraries/sanitizing.lib.php]
function PMA_sanitize($message)
{
$replace_pairs = array(
'<' => '<',
'>' => '>',
'[i]' => '<em>', // deprecated by em
'[/i]' => '</em>', // deprecated by em
'[em]' => '<em>',
'[/em]' => '</em>',
'[b]' => '<strong>', // deprecated by strong
'[/b]' => '</strong>', // deprecated by strong
'[strong]' => '<strong>',
'[/strong]' => '</strong>',
'[tt]' => '<code>', // deprecated by CODE or KBD
'[/tt]' => '</code>', // deprecated by CODE or KBD
'[code]' => '<code>',
'[/code]' => '</code>',
'[kbd]' => '<kbd>',
'[/kbd]' => '</kbd>',
'[br]' => '<br />',
'[/a]' => '</a>',
);
return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));
}
[/code]
Now because we can't use > or < we can't escape from the input field,
so we have to use attributes to get this trick working. We can use the
attribute style to insert some css code and call javascript
just like we can do in a regular cascade style sheet. eg:
STYLE="background-image: url(javascript:alert('XSS'))"
IIa. Affected Browsers
----------------------
All versions of Firefox seem to be unvulnerable to this attack (1.5 and 2.0 tested).
Opera also seems to be safe (v8.53 and v9.10 tested)
IE 6.x is not safe but IE 7.x is. Not yet tested: IE 5.x (but IE 5.2 for Mac seems to be unvulnerable).
III. PoC
--------
https://phpmyadmin.example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22
IV. Solution
------------
A. Quickfix
Replace this code (./main.php):
<input type="hidden" name="convcharset" value="<?php echo $convcharset; ?>" />
with this code:
<input type="hidden" name="convcharset" value="<?php echo addslashes($convcharset); ?>" />
B. upgrade to the new(er/est) version of phpmyadmin which you can find here:
http://www.phpmyadmin.net/home_page/downloads.php
V. Timeline
-----------
11-01-2007: vulnerability found + contact with vendor
12-01-2007: public disclosure + vendor removed old (vulnerable) versions from download section
Copyright 2007 by Alfa from Virtuax.be All rights reserved.