lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 25 Aug 2010 21:35:47 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: YGN Ethical Hacker Group <lists@...g.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site
 Scripting (XSS) Vulnerability

After looking into several sources, I've found the following:

6. IMPACT

Attackers can compromise currently logged-in user session and inject
arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)
via crafted XSS payloads.


Which I presume means it affects the system only with a registered (and a
logged in) account.

I don't mean to boss you or anyone around, but why wasn't that detail well
written around?
Surely I won't risk wasting time fixing a possible bad patch when it doesn't
affect my install in the least (since it's only me that is using
phpMyAdmin).

I'm usually quite paranoid about security, but I don't  want to risk wasting
unnecessary time espeially considering it doesn't affect my security at all.

I'm not trying to nitpick or anything, but if I were you, I'd make it a
point to make the real impact well known, unless the vulnerabilities have
been published in the interest of  popularity rather than true concern.


Cheers,
Christian Sciberras.



On Wed, Aug 25, 2010 at 8:29 PM, YGN Ethical Hacker Group <lists@...g.net>wrote:

> Did you read the advisory that contains vendor advisory link -
> http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ?
>
>
>
>
> On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras <uuf6429@...il.com>
> wrote:
> > Since I didn't see this mentioned even on their website, (phpmyadmin.net),
> I
> > would like to ask, are these vulnerabilities existent in world-public OR
> > registered users part (OR both)?
> >
> > Regards,
> > Chris.
> >
> >
> >
> >
> >
> >
> > On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group <
> lists@...g.net>
> > wrote:
> >>
> >>
> >>
> ==============================================================================
> >>  phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability
> >>
> >>
> ==============================================================================
> >>
> >>
> >> 1. OVERVIEW
> >>
> >> The phpMyAdmin web application was vulnerable to Cross Site Scripting
> >> vulnerability.
> >>
> >>
> >> 2. PRODUCT DESCRIPTION
> >>
> >> phpMyAdmin is a free software tool written in PHP intended to handle
> >> the administration of MySQL over the World Wide Web.
> >> phpMyAdmin supports a wide range of operations with MySQL.
> >> The most frequently used operations are supported by the user
> >> interface (managing databases, tables, fields, relations,
> >> indexes, users, permissions, etc), while you still have the ability to
> >> directly execute any SQL statement.
> >>
> >>
> >> 3. VULNERABILITY DESCRIPTION
> >>
> >> Some URLs in phpMyAdmin do not properly escape user inputs that lead
> >> to cross site scripting vulnerability.
> >> For more information about this kind of vulnerability, see OWASP Top
> >> 10 - A2, WASC-8 and
> >> CWE-79: Improper Neutralization of Input During Web Page Generation
> >> ('Cross-site Scripting').
> >>
> >>
> >> 4. VERSIONS AFFECTED
> >>
> >> phpMyAdmin 3.3.5 and lower
> >> phpMyAdmin 2.11.10  and lower
> >>
> >>
> >> 5. PROOF-OF-CONCEPT/EXPLOIT
> >>
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg
> >>
> >> And full list of URLs (of both <probably> unexploitable/exploitable)
> >> that fail to html escape user inputs:
> >>
> >> UR: http://target/phpmyadmin/db_search.php
> >> Affected Parameter(s):  field_str
> >>
> >> URL: http://target/phpmyadmin/db_sql.php
> >> Affected Parameter(s):  QUERY_STRING, delimiter
> >>
> >> URL: http://target/phpmyadmin/db_structure.php
> >> Affected Parameter(s): sort
> >>
> >> URL:  http://target/phpmyadmin/js/messages.php
> >> Affected Parameter(s): db
> >>
> >> URL: http://target/phpmyadmin/server_databases.php
> >> Affected Parameter(s): sort_by
> >>
> >> URL: http://target/phpmyadmin/server_privileges.php
> >> Affected Parameter(s): QUERY_STRING, checkprivs, dbname,
> >> pred_tablename, selected_usr[], tablename , username
> >>
> >> URL: http://target/phpmyadmin/setup/config.php
> >> Affected Parameter(s): DefaultLang
> >>
> >> URL: http://target/phpmyadmin/sql.php
> >> Affected Parameter(s): QUERY_STRING, cpurge,
> >> goto,purge,purgekey,table,zero_rows
> >>
> >> URL: http://target/phpmyadmin/tbl_replace.php
> >> Affected (Dynamic) Parameter(s):
> >> fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db],
> >> fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac]
> >>
> >>
> >> 6. IMPACT
> >>
> >> Attackers can compromise currently logged-in user session and inject
> >> arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)
> >> via crafted XSS payloads.
> >>
> >>
> >> 7. SOLUTION
> >>
> >> Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1
> >>
> >>
> >> 8. VENDOR
> >>
> >> phpMyAdmin (http://www.phpmyadmin.net)
> >>
> >>
> >> 9. CREDIT
> >>
> >> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
> >> Ethical Hacker Group, Myanmar.
> >>
> >>
> >> 10. DISCLOSURE TIME-LINE
> >>
> >> 08-09-2010: vulnerability discovered
> >> 08-10-2010: notified vendor
> >> 08-20-2010: vendor released fix
> >> 08-20-2010: vulnerability disclosed
> >>
> >>
> >> 11. REFERENCES
> >>
> >> Vendor Advisory URL:
> >> http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
> >> Original Advisory URL:
> >>
> >>
> http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)<http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting%28XSS%29>
> >> Previous Release:
> >> http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php
> >> XSS FAQ: http://www.cgisecurity.com/xss-faq.html
> >> OWASP Top 10:
> >> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
> >> CWE-79: http://cwe.mitre.org/data/definitions/79.html
> >>
> >>
> >> #yehg [08-20-2010]
> >>
> >>
> >>
> >> ---------------------------------
> >> Best regards,
> >> YGN Ethical Hacker Group
> >> Yangon, Myanmar
> >> http://yehg.net
> >> Our Lab | http://yehg.net/lab
> >> Our Directory | http://yehg.net/hwd
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ