[Full-disclosure] Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability

2006-11-02T00:00:00
ID SECURITYVULNS:DOC:14897
Type securityvulns
Reporter Securityvulns
Modified 2006-11-02T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

                    Hardened-PHP Project
                    www.hardened-php.net

                  -= Security  Advisory =-


 Advisory: phpMyAdmin - error.php XSS Vulnerability

Release Date: 2006/11/02 Last Modified: 2006/11/02 Author: Stefan Esser [sesser@hardened-php.net]

Application: phpMyAdmin <= 2.9.0.2 Severity: XSS vulnerability in an error displaying script Risk: Medium Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_122006.137.html

Overview:

Quote from http://www.phpmyadmin.net "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges, export data into various formats and is available in 50 languages."

It was discovered that phpMyAdmin comes with a script to display error messages that supports displaying the error in a user supplied charset. Unfortunately the encoding of the error message is not taking the charset into account which can result into XSS when UTF-7 is selected. (Other charsets like US-ASCII can also be used to exploit this in some browsers.)

To trigger this XSS vulnerability an attacker just needs to call the error displaying script with charset=utf-7 and utf-7 encoded HTML tags in the error message.

Proof of Concept:

The Hardened-PHP Project is not going to release exploits for this vulnerability to the public.

Disclosure Timeline:

  1. October 2006 - Contacted phpMyAdmin developers by email
  2. November 2006 - Updated phpMyAdmin was released
  3. November 2006 - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the newest version of phpMyAdmin 2.9.0.3 which you can download at:

http://www.phpmyadmin.net/home_page/downloads.php

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFSbPtRDkUzAqGSqERAkcTAJ49t9pfmuBAyvk0UcHuhZe/6cu48gCgp3ea HoIvssTE/gfvQyAY3BcOhwQ= =70mU -----END PGP SIGNATURE-----


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/