Date: Thu, 26 Aug 2010 02:29:13 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site
 Scripting (XSS) Vulnerability

Did you read the advisory that contains vendor advisory link -
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ?




On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras <uuf6429@...il.com> wrote:
> Since I didn't see this mentioned even on their website, (phpmyadmin.net), I
> would like to ask, are these vulnerabilities existent in world-public OR
> registered users part (OR both)?
>
> Regards,
> Chris.
>
>
>
>
>
>
> On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group <lists@...g.net>
> wrote:
>>
>>
>> ==============================================================================
>>  phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability
>>
>> ==============================================================================
>>
>>
>> 1. OVERVIEW
>>
>> The phpMyAdmin web application was vulnerable to Cross Site Scripting
>> vulnerability.
>>
>>
>> 2. PRODUCT DESCRIPTION
>>
>> phpMyAdmin is a free software tool written in PHP intended to handle
>> the administration of MySQL over the World Wide Web.
>> phpMyAdmin supports a wide range of operations with MySQL.
>> The most frequently used operations are supported by the user
>> interface (managing databases, tables, fields, relations,
>> indexes, users, permissions, etc), while you still have the ability to
>> directly execute any SQL statement.
>>
>>
>> 3. VULNERABILITY DESCRIPTION
>>
>> Some URLs in phpMyAdmin do not properly escape user inputs that lead
>> to cross site scripting vulnerability.
>> For more information about this kind of vulnerability, see OWASP Top
>> 10 - A2, WASC-8 and
>> CWE-79: Improper Neutralization of Input During Web Page Generation
>> ('Cross-site Scripting').
>>
>>
>> 4. VERSIONS AFFECTED
>>
>> phpMyAdmin 3.3.5 and lower
>> phpMyAdmin 2.11.10  and lower
>>
>>
>> 5. PROOF-OF-CONCEPT/EXPLOIT
>>
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg
>>
>> And full list of URLs (of both <probably> unexploitable/exploitable)
>> that fail to html escape user inputs:
>>
>> UR: http://target/phpmyadmin/db_search.php
>> Affected Parameter(s):  field_str
>>
>> URL: http://target/phpmyadmin/db_sql.php
>> Affected Parameter(s):  QUERY_STRING, delimiter
>>
>> URL: http://target/phpmyadmin/db_structure.php
>> Affected Parameter(s): sort
>>
>> URL:  http://target/phpmyadmin/js/messages.php
>> Affected Parameter(s): db
>>
>> URL: http://target/phpmyadmin/server_databases.php
>> Affected Parameter(s): sort_by
>>
>> URL: http://target/phpmyadmin/server_privileges.php
>> Affected Parameter(s): QUERY_STRING, checkprivs, dbname,
>> pred_tablename, selected_usr[], tablename , username
>>
>> URL: http://target/phpmyadmin/setup/config.php
>> Affected Parameter(s): DefaultLang
>>
>> URL: http://target/phpmyadmin/sql.php
>> Affected Parameter(s): QUERY_STRING, cpurge,
>> goto,purge,purgekey,table,zero_rows
>>
>> URL: http://target/phpmyadmin/tbl_replace.php
>> Affected (Dynamic) Parameter(s):
>> fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db],
>> fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac]
>>
>>
>> 6. IMPACT
>>
>> Attackers can compromise currently logged-in user session and inject
>> arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE)
>> via crafted XSS payloads.
>>
>>
>> 7. SOLUTION
>>
>> Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1
>>
>>
>> 8. VENDOR
>>
>> phpMyAdmin (http://www.phpmyadmin.net)
>>
>>
>> 9. CREDIT
>>
>> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
>> Ethical Hacker Group, Myanmar.
>>
>>
>> 10. DISCLOSURE TIME-LINE
>>
>> 08-09-2010: vulnerability discovered
>> 08-10-2010: notified vendor
>> 08-20-2010: vendor released fix
>> 08-20-2010: vulnerability disclosed
>>
>>
>> 11. REFERENCES
>>
>> Vendor Advisory URL:
>> http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
>> Original Advisory URL:
>>
>> http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)
>> Previous Release:
>> http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php
>> XSS FAQ: http://www.cgisecurity.com/xss-faq.html
>> OWASP Top 10:
>> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
>> CWE-79: http://cwe.mitre.org/data/definitions/79.html
>>
>>
>> #yehg [08-20-2010]
>>
>>
>>
>> ---------------------------------
>> Best regards,
>> YGN Ethical Hacker Group
>> Yangon, Myanmar
>> http://yehg.net
>> Our Lab | http://yehg.net/lab
>> Our Directory | http://yehg.net/hwd
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists