phpMyAdminSQL.txt

`phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.  
  
I. BACKGROUND  
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web.  
  
II. DESCRIPTION  
phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter.   
  
III. PUBLISH DATE  
2005-12-7  
  
IV. AUTHOR  
[email protected]  
  
V. AFFECTED SOFTWARE  
phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be affected.  
The following vendors distribute vulnerable phpMyAdmin package:  
The FreeBSD Project   
Gentoo Foundation   
Novell, Inc. (SuSE)   
The Debian Project (SuSE)  
  
VI. ANALYSIS  
in server_privileges.php  
line 27:  
if ( isset( $dbname ) ) {  
//if ( preg_match( '/\\\\(?:_|%)/i', $dbname ) ) {  
if ( preg_match( '/(?<!\\\\)(?:_|%)/i', $dbname ) ) {  
$dbname_is_wildcard = true;  
} else {  
$dbname_is_wildcard = false;  
}  
}  
parameter $dbname is not validate properly.  
  
line 1197:  
if (isset($viewing_mode) && $viewing_mode == 'db') {  
$db = $checkprivs;  
$url_query .= '&goto=db_operations.php';  
  
// Gets the database structure  
$sub_part = '_structure';  
require('./db_details_db_info.php');  
echo "\n";  
} else {  
require('./server_links.inc.php');  
}  
  
line 1241:   
if ( empty( $adduser ) && empty( $checkprivs ) ) {  
  
parameter $checkprivs not validate properly.  
  
VII. Proof of Concept  
http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='  
http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username=1&dbname=1&tablename=1  
  
VIII. SOLUTION  
I have not contact the vendor, and no aware of any security patch till now.  
  
IX. REFERENCE   
http://www.phpmyadmin.net  
  
  
`