lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DEV-LOUIS-WIN4KhAfd00000002@lwang.org>
Date: Sat, 17 Dec 2005 09:39:36 +0800
From: "Alice Bryson" <abryson@...efocus.com>
To: <bugtraq@...urityfocus.com>
Subject: phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.


phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.

I. BACKGROUND
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web.

II. DESCRIPTION
phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter. 

III. PUBLISH DATE
2005-12-7

IV. AUTHOR
lwang@...ng.org

V. AFFECTED SOFTWARE
phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be affected.
The following vendors distribute vulnerable phpMyAdmin package:
The FreeBSD Project 
Gentoo Foundation 
Novell, Inc. (SuSE) 
The Debian Project (SuSE)

VI. ANALYSIS
in server_privileges.php
line 27:
if ( isset( $dbname ) ) {
    //if ( preg_match( '/\\\\(?:_|%)/i', $dbname ) ) {
    if ( preg_match( '/(?<!\\\\)(?:_|%)/i', $dbname ) ) {
        $dbname_is_wildcard = true;
    } else {
        $dbname_is_wildcard = false;
    }
}
parameter $dbname is not validate properly.

line 1197:
if (isset($viewing_mode) && $viewing_mode == 'db') {
     $db = $checkprivs;
     $url_query .= '&amp;goto=db_operations.php';

     // Gets the database structure
     $sub_part = '_structure';
     require('./db_details_db_info.php');
     echo "\n";
} else {
    require('./server_links.inc.php');
}

line 1241: 
if ( empty( $adduser ) && empty( $checkprivs ) ) {

parameter $checkprivs not validate properly.

VII. Proof of Concept
http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='
http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username=1&dbname=1&tablename=1

VIII. SOLUTION
I have not contact the vendor, and no aware of any security patch till now.

IX. REFERENCE 
http://www.phpmyadmin.net




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ