Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability

[Christian Sciberras <uuf6429 () gmail com>]

After looking into several sources, I've found the following:

6. IMPACT

Attackers can compromise currently logged-in user session and inject
arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)
via crafted XSS payloads.


Which I presume means it affects the system only with a registered (and a
logged in) account.

I don't mean to boss you or anyone around, but why wasn't that detail well
written around?
Surely I won't risk wasting time fixing a possible bad patch when it doesn't
affect my install in the least (since it's only me that is using
phpMyAdmin).

I'm usually quite paranoid about security, but I don't  want to risk wasting
unnecessary time espeially considering it doesn't affect my security at all.

I'm not trying to nitpick or anything, but if I were you, I'd make it a
point to make the real impact well known, unless the vulnerabilities have
been published in the interest of  popularity rather than true concern.


Cheers,
Christian Sciberras.



On Wed, Aug 25, 2010 at 8:29 PM, YGN Ethical Hacker Group <lists () yehg net>wrote:

> Did you read the advisory that contains vendor advisory link -
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ?
>
>
>
>
> On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras <uuf6429 () gmail com>
> wrote:
> > Since I didn't see this mentioned even on their website, (phpmyadmin.net),
> I
> > would like to ask, are these vulnerabilities existent in world-public OR
> > registered users part (OR both)?
> >
> > Regards,
> > Chris.
> >
> >
> >
> >
> >
> >
> > On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group <
> lists () yehg net>
> > wrote:
> > >
> ==============================================================================
> > >  phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability
> ==============================================================================
> > > 1. OVERVIEW
> > >
> > > The phpMyAdmin web application was vulnerable to Cross Site Scripting
> > > vulnerability.
> > >
> > >
> > > 2. PRODUCT DESCRIPTION
> > >
> > > phpMyAdmin is a free software tool written in PHP intended to handle
> > > the administration of MySQL over the World Wide Web.
> > > phpMyAdmin supports a wide range of operations with MySQL.
> > > The most frequently used operations are supported by the user
> > > interface (managing databases, tables, fields, relations,
> > > indexes, users, permissions, etc), while you still have the ability to
> > > directly execute any SQL statement.
> > >
> > >
> > > 3. VULNERABILITY DESCRIPTION
> > >
> > > Some URLs in phpMyAdmin do not properly escape user inputs that lead
> > > to cross site scripting vulnerability.
> > > For more information about this kind of vulnerability, see OWASP Top
> > > 10 - A2, WASC-8 and
> > > CWE-79: Improper Neutralization of Input During Web Page Generation
> > > ('Cross-site Scripting').
> > >
> > >
> > > 4. VERSIONS AFFECTED
> > >
> > > phpMyAdmin 3.3.5 and lower
> > > phpMyAdmin 2.11.10  and lower
> > >
> > >
> > > 5. PROOF-OF-CONCEPT/EXPLOIT
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg
> > >
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg
> > > And full list of URLs (of both <probably> unexploitable/exploitable)
> > > that fail to html escape user inputs:
> > >
> > > UR: http://target/phpmyadmin/db_search.php
> > > Affected Parameter(s):  field_str
> > >
> > > URL: http://target/phpmyadmin/db_sql.php
> > > Affected Parameter(s):  QUERY_STRING, delimiter
> > >
> > > URL: http://target/phpmyadmin/db_structure.php
> > > Affected Parameter(s): sort
> > >
> > > URL:  http://target/phpmyadmin/js/messages.php
> > > Affected Parameter(s): db
> > >
> > > URL: http://target/phpmyadmin/server_databases.php
> > > Affected Parameter(s): sort_by
> > >
> > > URL: http://target/phpmyadmin/server_privileges.php
> > > Affected Parameter(s): QUERY_STRING, checkprivs, dbname,
> > > pred_tablename, selected_usr[], tablename , username
> > >
> > > URL: http://target/phpmyadmin/setup/config.php
> > > Affected Parameter(s): DefaultLang
> > >
> > > URL: http://target/phpmyadmin/sql.php
> > > Affected Parameter(s): QUERY_STRING, cpurge,
> > > goto,purge,purgekey,table,zero_rows
> > >
> > > URL: http://target/phpmyadmin/tbl_replace.php
> > > Affected (Dynamic) Parameter(s):
> > > fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db],
> > > fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac]
> > >
> > >
> > > 6. IMPACT
> > >
> > > Attackers can compromise currently logged-in user session and inject
> > > arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)
> > > via crafted XSS payloads.
> > >
> > >
> > > 7. SOLUTION
> > >
> > > Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1
> > >
> > >
> > > 8. VENDOR
> > >
> > > phpMyAdmin (http://www.phpmyadmin.net)
> > >
> > >
> > > 9. CREDIT
> > >
> > > This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> > > Ethical Hacker Group, Myanmar.
> > >
> > >
> > > 10. DISCLOSURE TIME-LINE
> > >
> > > 08-09-2010: vulnerability discovered
> > > 08-10-2010: notified vendor
> > > 08-20-2010: vendor released fix
> > > 08-20-2010: vulnerability disclosed
> > >
> > >
> > > 11. REFERENCES
> > >
> > > Vendor Advisory URL:
> > > http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
> > > Original Advisory URL:
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)<http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting%28XSS%29>
> > > Previous Release:
> > > http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php
> > > XSS FAQ: http://www.cgisecurity.com/xss-faq.html
> > > OWASP Top 10:
> > > http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
> > > CWE-79: http://cwe.mitre.org/data/definitions/79.html
> > >
> > >
> > > #yehg [08-20-2010]
> > >
> > >
> > >
> > > ---------------------------------
> > > Best regards,
> > > YGN Ethical Hacker Group
> > > Yangon, Myanmar
> > > http://yehg.net
> > > Our Lab | http://yehg.net/lab
> > > Our Directory | http://yehg.net/hwd
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/