Full Disclosure mailing list archives
Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability
From: Christian Sciberras <uuf6429 () gmail com>
Date: Wed, 25 Aug 2010 21:35:47 +0200
After looking into several sources, I've found the following: 6. IMPACT Attackers can compromise currently logged-in user session and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. Which I presume means it affects the system only with a registered (and a logged in) account. I don't mean to boss you or anyone around, but why wasn't that detail well written around? Surely I won't risk wasting time fixing a possible bad patch when it doesn't affect my install in the least (since it's only me that is using phpMyAdmin). I'm usually quite paranoid about security, but I don't want to risk wasting unnecessary time espeially considering it doesn't affect my security at all. I'm not trying to nitpick or anything, but if I were you, I'd make it a point to make the real impact well known, unless the vulnerabilities have been published in the interest of popularity rather than true concern. Cheers, Christian Sciberras. On Wed, Aug 25, 2010 at 8:29 PM, YGN Ethical Hacker Group <lists () yehg net>wrote:
Did you read the advisory that contains vendor advisory link - http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ? On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras <uuf6429 () gmail com> wrote:Since I didn't see this mentioned even on their website, (phpmyadmin.net),Iwould like to ask, are these vulnerabilities existent in world-public OR registered users part (OR both)? Regards, Chris. On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group <lists () yehg net>wrote:==============================================================================phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability==============================================================================1. OVERVIEW The phpMyAdmin web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION Some URLs in phpMyAdmin do not properly escape user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED phpMyAdmin 3.3.5 and lower phpMyAdmin 2.11.10 and lower 5. PROOF-OF-CONCEPT/EXPLOIThttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpghttp://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpgAnd full list of URLs (of both <probably> unexploitable/exploitable) that fail to html escape user inputs: UR: http://target/phpmyadmin/db_search.php Affected Parameter(s): field_str URL: http://target/phpmyadmin/db_sql.php Affected Parameter(s): QUERY_STRING, delimiter URL: http://target/phpmyadmin/db_structure.php Affected Parameter(s): sort URL: http://target/phpmyadmin/js/messages.php Affected Parameter(s): db URL: http://target/phpmyadmin/server_databases.php Affected Parameter(s): sort_by URL: http://target/phpmyadmin/server_privileges.php Affected Parameter(s): QUERY_STRING, checkprivs, dbname, pred_tablename, selected_usr[], tablename , username URL: http://target/phpmyadmin/setup/config.php Affected Parameter(s): DefaultLang URL: http://target/phpmyadmin/sql.php Affected Parameter(s): QUERY_STRING, cpurge, goto,purge,purgekey,table,zero_rows URL: http://target/phpmyadmin/tbl_replace.php Affected (Dynamic) Parameter(s): fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db], fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac] 6. IMPACT Attackers can compromise currently logged-in user session and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. 7. SOLUTION Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1 8. VENDOR phpMyAdmin (http://www.phpmyadmin.net) 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 08-09-2010: vulnerability discovered 08-10-2010: notified vendor 08-20-2010: vendor released fix 08-20-2010: vulnerability disclosed 11. REFERENCES Vendor Advisory URL: http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php Original Advisory URL:http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)<http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting%28XSS%29>Previous Release: http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php XSS FAQ: http://www.cgisecurity.com/xss-faq.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [08-20-2010] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 20)
- Message not available
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 25)
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability Christian Sciberras (Aug 25)
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 25)
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 25)
- Message not available