[UNIX] phpMyAdmin Multiple CSRF Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 3 Oct 2006 11:12:34 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpMyAdmin Multiple CSRF Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.phpmyadmin.net> phpMyAdmin is "a tool written in PHP intended
to handle the administration of MySQL over the Web. Currently it can
create and drop databases, create/drop/alter tables, delete/edit/add
fields, execute any SQL statement, manage keys on fields, manage
privileges, export data into various formats and is available in 50
languages".
During an audit of phpMyAdmin's protection against CSRF: Cross Site
Request Forgeries we discovered that there were multiple ways to bypass
the protection.
The failure of phpMyAdmin's CSRF protection obviously means that a
potential attacker can use CSRF attacks to trick the browser of a
phpMyAdmin user to execute any kind of SQL queries on the victims database
server.
DETAILS
Vulnerable Systems:
* phpMyAdmin version 2.9.0 and prior
Immune Systems:
* phpMyAdmin version 2.9.0.1
phpMyAdmin uses a random token that is stored within the user's session to
protect against Cross Site Request Forgeries. CSRF basically means that a
website tricks the browser of a visiting user into issuing HTTP requests
against another site that does ensure, that the request was intended.
In case of phpMyAdmin a CSRF vulnerability obviously means that another
site could trick the browser of a phpMyAdmin user into issuing arbitrary
SQL queries against his database.
In phpMyAdmin the CSRF protection works like this
1) Start PHP's Session Handling
2) Is there already a token assigned to the session? -> No: create a
random token
3) Is supplied token equal to session token? -> No: unset() all request
variables not in white-list
While this design could actually work the implementation in phpMyAdmin was
vulnerable to multiple attacks because before and during the 3 steps
mentioned several modifications to the request variable arrays are made
and these variables get globalised. (This is done within the PHP code and
has nothing to do with register_globals)
The attacks we found attack different phases of the CSRF protection. The
following is an overview of the vulnerabilities within the 3 phases. For
each phase several different attacks are possible. Several of the attacks
require GPC variables with names that are equal to PHP's superglobals,
therefore these attacks are automatically stopped by our Suhosin
extension.
Token Verification
The token verification could be tricked because there existed several
flaws in the globalisation routine that allowed destroying the content of
the session variables. Additionally the special handling of session
variables during while register_globals is activated allowed directly
setting the session token from within the URL. Obviously it is very easy
to "guess" the required token when the token is empty or is set to a value
of his choice.
Determine which variables to unset
The _REQUEST array was used to determine which variables should be unset()
but phpMyAdmin contained intended and unintended ways that allowed
overwriting the content of the _REQUEST array. In the new version all GPC
arrays are used for this process and the unintended way to destroy
superglobal arrays within the globalisation was closed.
Unset variables
Unset() is a dangerous function because older PHP versions (that are still
installed on most servers) contained vulnerabilities that allowed
bypassing it. For further information take a look at:
<http://www.hardened-php.net/critical_php_vulnerability_explained.124.html> http://www.hardened-php.net/critical_php_vulnerability_explained.124.html
Disclosure Timeline:
23. September 2006 - Contacted phpMyAdmin developers by email
01. October 2006 - Updated phpMyAdmin was released
01. October 2006 - Public Disclosure
Recommendation:
It is strongly recommended to upgrade to the newest version of phpMyAdmin
2.9.0.1 which you can download at:
<http://www.phpmyadmin.net/home_page/downloads.php>
http://www.phpmyadmin.net/home_page/downloads.php
ADDITIONAL INFORMATION
The information has been provided by <mailto:sesser@xxxxxxxxxxxxxxxx>
Stefan Esser.
The original article can be found at:
<http://www.hardened-php.net/advisory_072006.130.html>
http://www.hardened-php.net/advisory_072006.130.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] IBM Informix Dynamic Server File Clobbering During Installation
- Next by Date: [UNIX] cPanel Local Privilege Escalation
- Previous by thread: [UNIX] IBM Informix Dynamic Server File Clobbering During Installation
- Next by thread: [UNIX] cPanel Local Privilege Escalation
- Index(es):
Relevant Pages
|
|
