phpMyAdmin 3.3.5 / 2.11.10 Cross Site Scripting

2010-08-21T00:00:00
ID PACKETSTORM:92947
Type packetstorm
Reporter Aung Khant
Modified 2010-08-21T00:00:00

Description

                                        
                                            `==============================================================================  
phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability  
==============================================================================  
  
  
1. OVERVIEW  
  
The phpMyAdmin web application was vulnerable to Cross Site Scripting  
vulnerability.  
  
  
2. PRODUCT DESCRIPTION  
  
phpMyAdmin is a free software tool written in PHP intended to handle  
the administration of MySQL over the World Wide Web.  
phpMyAdmin supports a wide range of operations with MySQL.  
The most frequently used operations are supported by the user  
interface (managing databases, tables, fields, relations,  
indexes, users, permissions, etc), while you still have the ability to  
directly execute any SQL statement.  
  
  
3. VULNERABILITY DESCRIPTION  
  
Some URLs in phpMyAdmin do not properly escape user inputs that lead  
to cross site scripting vulnerability.  
For more information about this kind of vulnerability, see OWASP Top  
10 - A2, WASC-8 and  
CWE-79: Improper Neutralization of Input During Web Page Generation  
('Cross-site Scripting').  
  
  
4. VERSIONS AFFECTED  
  
phpMyAdmin 3.3.5 and lower  
phpMyAdmin 2.11.10 and lower  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg  
  
And full list of URLs (of both <probably> unexploitable/exploitable)  
that fail to html escape user inputs:  
  
UR: http://target/phpmyadmin/db_search.php  
Affected Parameter(s): field_str  
  
URL: http://target/phpmyadmin/db_sql.php  
Affected Parameter(s): QUERY_STRING, delimiter  
  
URL: http://target/phpmyadmin/db_structure.php  
Affected Parameter(s): sort  
  
URL: http://target/phpmyadmin/js/messages.php  
Affected Parameter(s): db  
  
URL: http://target/phpmyadmin/server_databases.php  
Affected Parameter(s): sort_by  
  
URL: http://target/phpmyadmin/server_privileges.php  
Affected Parameter(s): QUERY_STRING, checkprivs, dbname,  
pred_tablename, selected_usr[], tablename , username  
  
URL: http://target/phpmyadmin/setup/config.php  
Affected Parameter(s): DefaultLang  
  
URL: http://target/phpmyadmin/sql.php  
Affected Parameter(s): QUERY_STRING, cpurge, goto,purge,purgekey,table,zero_rows  
  
URL: http://target/phpmyadmin/tbl_replace.php  
Affected (Dynamic) Parameter(s):  
fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db],  
fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac]  
  
  
6. IMPACT  
  
Attackers can compromise currently logged-in user session and inject  
arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)  
via crafted XSS payloads.  
  
  
7. SOLUTION  
  
Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1  
  
  
8. VENDOR  
  
phpMyAdmin (http://www.phpmyadmin.net)  
  
  
9. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
10. DISCLOSURE TIME-LINE  
  
08-09-2010: vulnerability discovered  
08-10-2010: notified vendor  
08-20-2010: vendor released fix  
08-20-2010: vulnerability disclosed  
  
  
11. REFERENCES  
  
Vendor Advisory URL:  
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)  
Previous Release: http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php  
XSS FAQ: http://www.cgisecurity.com/xss-faq.html  
OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  
CWE-79: http://cwe.mitre.org/data/definitions/79.html  
  
  
#yehg [08-20-2010]  
  
  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
  
`