phpmyadmin-xss.txt

2007-01-14T00:00:00
ID PACKETSTORM:53649
Type packetstorm
Reporter AlFa
Modified 2007-01-14T00:00:00

Description

                                        
                                            `---------------------------------------------------------------------------------  
| ____ ____.__ __ |  
| \ \ / /|__|_______/ |_ __ _______ ___ ___ |  
| \ Y / | \_ __ \ __\ | \__ \ \ \/ / |  
| \ / | || | \/| | | | // __ \_> < |  
| \___/ |__||__| |__| |____/(____ /__/\_ \ |  
| \/ \/ |  
| Security without illusions |  
| www.virtuax.be |  
| |  
---------------------------------------------------------------------------------  
  
  
Application: Phpmyadmin  
Vulnerable Versions: <= v2.8.1  
Vulnerability: XSS  
  
Vendor: http://www.phpmyadmin.net  
Vendor Status: notified  
  
Found: 11-01-2007  
Public Release Date: 12-01-2007  
Last modified: 12-01-2007  
Author: AlFa  
  
reference: http://www.virtuax.be/advisories/Advisory1-12012007.txt  
  
=================================================================================  
  
Shouts to Ciri, ShadoW, RedFern, Dreamer and the rest of the Virtuax Community =)  
  
=================================================================================  
  
  
  
I. Background  
-------------  
  
"phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL   
over the Web. Currently it can create and drop databases, create/drop/alter tables,   
delete/edit/add fields, execute any SQL statement, manage keys on fields, manage   
privileges,export data into various formats and is available in 50 languages."  
by phpmyadmin.net  
  
  
This issue was fixed in phpmyadmin v2.8.2  
  
[quote=changelog]  
2006-06-30 Marc Delisle <lem9@users.sourceforge.net>  
* libraries/common.lib.php: escape also single quotes   
### 2.8.2 released from QA_2_8   
  
2006-06-28 Marc Delisle <lem9@users.sourceforge.net>  
* libraries/common.lib.php: escape allowed parameters from non-token   
requests   
[/quote]  
  
  
  
II. Vulnerability  
-----------------  
  
Originally phpMyAdmin < 2.6.2-rc1 contained a XSS vulnerability caused due to  
missing validation of input supplied to "convcharset" variable (reference:   
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3). This problem was  
solved by sanitizing $convcharset by pulling it trough the PMA_sanitize() function.  
However that function only checks for > and < and and neglects quotes in all versions  
prior to 2.8.1. Here is some code:  
  
  
[code=./libraries/common.lib.php]  
  
// XSS  
if (isset($convcharset)) {  
$convcharset = PMA_sanitize($convcharset);  
}  
  
[/code]  
  
  
  
[code=./libraries/sanitizing.lib.php]  
  
function PMA_sanitize($message)  
{  
$replace_pairs = array(  
'<' => '<',  
'>' => '>',  
'[i]' => '<em>', // deprecated by em  
'[/i]' => '</em>', // deprecated by em  
'[em]' => '<em>',  
'[/em]' => '</em>',  
'[b]' => '<strong>', // deprecated by strong  
'[/b]' => '</strong>', // deprecated by strong  
'[strong]' => '<strong>',  
'[/strong]' => '</strong>',  
'[tt]' => '<code>', // deprecated by CODE or KBD  
'[/tt]' => '</code>', // deprecated by CODE or KBD  
'[code]' => '<code>',  
'[/code]' => '</code>',  
'[kbd]' => '<kbd>',  
'[/kbd]' => '</kbd>',  
'[br]' => '<br />',  
'[/a]' => '</a>',  
);  
return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));  
}  
  
[/code]  
  
  
Now because we can't use > or < we can't escape from the input field,   
so we have to use attributes to get this trick working. We can use the   
attribute style to insert some css code and call javascript   
just like we can do in a regular cascade style sheet. eg:  
  
STYLE="background-image: url(javascript:alert('XSS'))"  
  
  
  
IIa. Affected Browsers  
----------------------  
  
All versions of Firefox seem to be unvulnerable to this attack (1.5 and 2.0 tested).  
  
Opera also seems to be safe (v8.53 and v9.10 tested)  
  
  
IE 6.x is not safe but IE 7.x is. Not yet tested: IE 5.x (but IE 5.2 for Mac seems to be unvulnerable).  
  
  
  
III. PoC  
--------  
  
https://phpmyadmin.example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22  
  
  
  
IV. Solution  
------------  
  
A. Quickfix  
Replace this code (./main.php):  
  
<input type="hidden" name="convcharset" value="<?php echo $convcharset; ?>" />  
  
with this code:  
  
<input type="hidden" name="convcharset" value="<?php echo addslashes($convcharset); ?>" />  
  
  
B. upgrade to the new(er/est) version of phpmyadmin which you can find here:   
http://www.phpmyadmin.net/home_page/downloads.php  
  
  
  
V. Timeline  
-----------  
  
11-01-2007: vulnerability found + contact with vendor  
12-01-2007: public disclosure + vendor removed old (vulnerable) versions from download section  
  
  
  
Copyright 2007 by Alfa from Virtuax.be All rights reserved.  
  
`