[Full-disclosure] Advisory 16/2005: phpMyAdmin Local File Inclusion Vulnerability

2005-10-22T00:00:00
ID SECURITYVULNS:DOC:10006
Type securityvulns
Reporter Securityvulns
Modified 2005-10-22T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                    Hardened-PHP Project
                    www.hardened-php.net

                  -= Security  Advisory =-



 Advisory: phpMyAdmin Local File Inclusion Vulnerability

Release Date: 2005/10/22 Last Modified: 2005/10/22 Author: Stefan Esser [sesser@hardened-php.net]

Application: phpMyAdmin <= 2.6.4-pl2 Severity: A design flaw within phpMyAdmin allows inclusion of arbitrary files, which usually leads to remote code execution Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_162005.73.html

Overview:

Quote from www.phpmyadmin.net: "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges,export data into various formats and is available in 50 languages."

And audit of phpMyAdmin revealed a design flaw in the way phpMyAdmin includes it's register_globals compatibility layer, that allows inclusion of arbitrary local files, which usually leads to remote code execution.

*** NOTE: This vulnerability is not exploitable if you are running PHP with our Hardening-Patch applied

Details:

phpMyAdmin comes with a register_globals emulation layer within grab_globals.php, to ensure compatibility with hosts where this feature is turned off. This file is usually included at the very beginning, so that globalizing the request variables does not overwrite already used script variables. When the _GET and _POST variables are extracted it is even ensured, that certain names cannot be overwritten. This safety checks are not in effect, when the _FILES array, which holds information about uploaded files, is merged into the global namespace.

Unfortunately phpMyAdmin comes with a few files that were not meant to be called directly and that do not include grab_globals.php but common.lib.php in the beginning. This results f.e. in the following include tree:

  - db_details_db_info.php
  &#92;___ libraries/common.lib.php
       &#92;___ libraries/select_lang.lib.php
       &#92;   &#92;___ libraries/grab_globals.php
       &#92;   &#92;___ lang/a-language.inc.php
       &#92;___ ...

From this one can see, that grab_globals.php will be included by select_lang.lib.php, if it is not included in the very beginning. This has the bad side effect, that the globalisation of the request variables is executed after common.lib.php has loaded the $cfg configuration array. In combination with the fact, that the _FILES array is not protected against keys with the name 'cfg', it is possible to overwrite the content of the configuration array in a way, that empties the content of the $cfg['ThemePath'] variable. This variable contains the path to a directory, that contains the supported themes. With the same overwrite it is possible to fill the variable $cfg['ThemeManager'] with a value, which evaluates to true.

The idea behind this overwrite is to exploit an include statement which tries to verify the existance of a theme, selected through f.e. a supplied cookie variable:

@include($cfg['ThemePath'].'/'.$GLOBALS['theme'].'/info.inc.php');

Due to the fact, that $cgf['ThemePath'] is empty and the global variable theme is filled with the content of a user supplied cookie, it is possible to use either a %00 or a realpath() truncation attack on the include filename to include any file, that can be accessed by the webserver.

At this point a few things have to be noted:

  1&#41; When reading the theme name from the cookie directory the 
     value is sanitizied against directory traversal attacks
     by removing .. from the filename. However the attack
     described here results in an absolute filepath beeing
     included, therefore any protection against directory
     traversal attacks is worthless.

  2&#41; A &#37;00 filename truncation attack will only work if
     magic_quotes_gpc is turned off, which is however the
     recommended setting. A realpath&#40;&#41; truncation attack on
     the other hand will only work agains malfunctional
     realpath&#40;&#41; implementation, which can be found in f.e.
     older OpenBSD versions.

  3&#41; This vulnerability *cannot* be exploited, when your server
     uses our PHP Hardening-Patch, because it has a build in
     protection against such include-filename truncation
     attacks.

Proof of Concept:

The Hardened-PHP project is not going to release exploits for this vulnerability to the public.

Disclosure Timeline:

  1. October 2005 - Contacted phpMyAdmin developers by email
  2. October 2005 - Vendor notifies me about planned release
  3. October 2005 - Release of new phpMyAdmin version
  4. October 2005 - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the new version of phpMyAdmin which you can download at:

http://www.phpmyadmin.net/home_page/downloads.php

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQFDWki0RDkUzAqGSqERAn2tAJ9obBXrgmTnYhuE9/jfxddfHbCrhwCggf8T 11j2W1NBEeiMg7IIgCmVjxg= =VqEK -----END PGP SIGNATURE-----


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/