lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <00de01c335b5$48f5b200$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , Information Encoding Weakness and Path Disclosures

phpMyAdmin XSS Vulnerabilities, Transversal Directory Attack , Information
Encoding Weakness and Path Disclosures
--------------------
Product: phpMyAdmin
Vendor: phpMyAdmin Development Team
Versions:
         VULNERABLE

         - 2.5.2 CVS ( in Development )
         - 2.5.x
         - 2.4.x
         - 2.3.x
         - 2.2.x
         - 2.1.x
         - 2.0.x
         - 1.x.x

         NOT VULNERABLE

         - ?
Advisory: NSRG-15-7
---------------------

Description:

phpMyAdmin is a tool written in PHP intended to handle the administration of
MySQL over the WWW. Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields, execute any SQL statement,
manage keys on fields.


-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered Cross Site Scripting Vulnerabilities and Path Disclosures in
some files of the phpMyAdmin
installation , with this files , sending a specially crafted url you can
execute commands in the client
side only and show the local path of the phpMyAdmin installation. The
failures are related to a input validation flaw
and a inproper configuration of php.ini and php configuration declare
library ( declare_php.lib.php )in phpMyAdmin for the errors flags.
I encountered a very dangerous transversal directory attack in a docSQL
import system too.
I discover that phpMyAdmin  don't encode the mysql user and password , it
save the data in plain text without encoding !.

-------------------------------
|   XSS  AND PATH DISCLOSURES |
-------------------------------

The affected files of the XSS attack ( Cross Site Scripting ) and Path
Disclosure are:

 - sql.php / sql.php3   - Path Disclosure & XSS-
 - pdf_schema.php       - Path Disclosure & XSS-
 - pdf_pages.php        - Path Disclosure & XSS-
 - ldi_table.php        - Path Disclosure & XSS-
 - mult_submits.inc.php - Path Disclosure & XSS-
 - chk_rel.php          - Path Disclosure -
 - db_create.php        - Path Disclosure -
 - db_datadict.php      - Path Disclosure & XSS-
 - db_details.php       - Path Disclosure -
 - db_details_common.php- Path Disclosure -
 - db_details_db_info.php - Path Disclosure -
 - db_details_export.php  - Path Disclosure -
 - db_details_structure.php - Path Disclosure -
 - db_printview.php     - Path Disclosure & XSS-
 - db_search.php        - Path Disclosure -
 - header_printview.inc.php - Path Disclosure -
 - ldi_check.php        - Path Disclosure -
 - read_dump.php        - Path Disclosure & XSS-
 - tbl_addfield.php     - Path Disclosure -
 - tbl_alter.php        - Path Disclosure -
 - tbl_create.php       - Path Disclosure -
 - tbl_dump.php         - Path Disclosure -
 - tbl_move_copy.php    - Path Disclosure -
 - tbl_printview.php    - Path Disclosure -
 - tbl_properties.inc.php - Path Disclosure -
 - tbl_properties.php   -Path Disclosure -
 - tbl_properties_common.php -Path Disclosure -
 - tbl_properties_export.php -Path Disclosure -
 - tbl_properties_links.php  -Path Disclosure -
 - tbl_properties_operations.php -Path Disclosure -
 - tbl_properties_options.php    -Path Disclosure -
 - tbl_properties_table_info.php -Path Disclosure -
 - tbl_query_box.php    -Path Disclosure -
 - tbl_relation.php     -Path Disclosure -
 - tbl_rename.php       -Path Disclosure -
 - tbl_replace.php      -Path Disclosure -
 - tbl_select.php       -Path Disclosure -

NOTE: The Path Disclosures occur when you access directly the affected file
without any QUERY_STRING needing a valid session.
 The XSS can executed passing crafted query_strings to the php scripts , see
Samples for more info about this.

VULNERABLE FILES TO PATH DISCLOSURES And XSS THAT DOESN'T NEED A VALID
SESSION :

 - libraries/auth/[cookie.auth.lib.php] - Path Disclosure -
 - libraries/xpath/[XPath.class.php]    - Path Disclosure -
 - libraries/[ip_allow_deny.lib.php]    - Path Disclosure -
 - libraries/[select_lang.lib.php]      - Path Disclosure -
 - libraries/sqlparser.lib.php          - Path Disclosure -
 - libraries/db_table_exists.lib.php    - Path Disclosure -


-----------------------------------
| DIRECTORY TRANSVERSAL ATTACK &  |
| REMOTE LOCAL FILE RETRIEVING &  |
| REMOTE INTERNAL DIRECTORY LISTING
-----------------------------------

I found a dangerous transversal directory attack in the file called
db_details_importdocsql.php ( file import
systems ) , i explain this failure in the Proof of Concept:

____Proof of Concept______

You must send a crafted request to the db_details_importdocsql.php file :

http://localhost/mysql/db_details_importdocsql.php?submit_show=true&do=impor
t&docpath=[YOUR TRANSVERSAL DIRECTORY ATTACK]

If you want to do a internal directory listing you must do this request:


http://localhost/mysql/db_details_importdocsql.php?submit_show=true&do=impor
t&docpath=../../../

With this request you can list the internal directories in the root dir in a
win installation ( normally c:\ ).

Note that you can't request files ( only dirs ) with
db_details_importdocsql.php if you attempt to get a file you get this
message: This was not a Directory .

SAMPLE RESULT OF A CGI-BIN DIRECTORY LISTED WITH THIS ATTACK:

Server iamnottotallysecured.not

Ignoring the file  .

Ignoring the file  ..

Ignoring the file  phf.cgi // ;-)

Ignoring the file  dumpenv.pl

Ignoring the file  test-cgi // ;-)

Ignoring the file  testcgi.pl // ;-D

Ignoring the file  wwwboard.pl

Ignoring the file  count.cgi

Ignoring the file  php.cgi // ;-D

Ignoring the file  passwd.pl

Ignoring the file  admin.cgi

Ignoring the file  ftp.cgi

Ignoring the file  formmail.pl // ;-D

Ignoring the file  proxy.pl



_______
Samples:
"""""""
Note that this paths are from my personal server in my testing lab:

The target user or you must be logged in for run the attacks :

http://localhost/mysql/sql.php?sql_query=">..<h1>XSS ! Oh my God!</h1>

http://localhost/mysql/db_datadict.php?db=XSS

http://localhost/mysql/db_details_importdocsql.php?submit_show=true&do=impor
t&docpath=../../../BOOT.ini

http://localhost/mysql/read_dump.php?db=nonexistent&sql_query="><h1>XSS</h1>

http://localhost/mysql/tbl_properties_links.php?table_info_num_rows=10&url_q
uery="><h1>XSS

------------------
| INFORMATION    |
|   ENCODING     |
|    WEAKNESS    |
------------------

phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves
the user data ( username and password too ) in plain text without any
encoding.

The authentication token in the cookie is this:

pma_cookie_username=[UserName]; lang=[language]-iso-8859-1;
pma_cookie_password=[your password]

A sample is:

pma_cookie_username=god; lang=en-iso-8859-1;
pma_cookie_password=doesnotexist

-----------------
| SOLUTIONS ;-p |
-----------------

- First: Redefine the errors flags in php.ini to Off. [Path Disclosures]
- Second: Use a partial / secure encoding for athentication tokens like
RadiX64 ( not very secure but an attacker
can think that is a more secure algorithm , obscurity ;-D ) .
- Three: Review the db_details_importdocsql.php file for prevent transversal
directory attacks and remote local directory listing.
-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
 --- Computer Security Analyzer ---
 --Nova Projects Professional Coding--
 PGP: Keyfingerprint
 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
 ID: 0x9C38E1D7
 **********************************
 NSRGroup : http://security.novappc.com
  are you totally secured ?
 ______________________



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ