
Full Disclosure mailing list archives
Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability
From: YGN Ethical Hacker Group <lists () yehg net>
Date: Thu, 26 Aug 2010 02:29:13 +0800
Did you read the advisory that contains vendor advisory link - http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ? On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras <uuf6429 () gmail com> wrote:
Since I didn't see this mentioned even on their website, (phpmyadmin.net), I would like to ask, are these vulnerabilities existent in world-public OR registered users part (OR both)? Regards, Chris. On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group <lists () yehg net> wrote:============================================================================== phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability ============================================================================== 1. OVERVIEW The phpMyAdmin web application was vulnerable to Cross Site Scripting vulnerability. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION Some URLs in phpMyAdmin do not properly escape user inputs that lead to cross site scripting vulnerability. For more information about this kind of vulnerability, see OWASP Top 10 - A2, WASC-8 and CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). 4. VERSIONS AFFECTED phpMyAdmin 3.3.5 and lower phpMyAdmin 2.11.10 and lower 5. PROOF-OF-CONCEPT/EXPLOIT http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg And full list of URLs (of both <probably> unexploitable/exploitable) that fail to html escape user inputs: UR: http://target/phpmyadmin/db_search.php Affected Parameter(s): field_str URL: http://target/phpmyadmin/db_sql.php Affected Parameter(s): QUERY_STRING, delimiter URL: http://target/phpmyadmin/db_structure.php Affected Parameter(s): sort URL: http://target/phpmyadmin/js/messages.php Affected Parameter(s): db URL: http://target/phpmyadmin/server_databases.php Affected Parameter(s): sort_by URL: http://target/phpmyadmin/server_privileges.php Affected Parameter(s): QUERY_STRING, checkprivs, dbname, pred_tablename, selected_usr[], tablename , username URL: http://target/phpmyadmin/setup/config.php Affected Parameter(s): DefaultLang URL: http://target/phpmyadmin/sql.php Affected Parameter(s): QUERY_STRING, cpurge, goto,purge,purgekey,table,zero_rows URL: http://target/phpmyadmin/tbl_replace.php Affected (Dynamic) Parameter(s): fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db], fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac] 6. IMPACT Attackers can compromise currently logged-in user session and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. 7. SOLUTION Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1 8. VENDOR phpMyAdmin (http://www.phpmyadmin.net) 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 08-09-2010: vulnerability discovered 08-10-2010: notified vendor 08-20-2010: vendor released fix 08-20-2010: vulnerability disclosed 11. REFERENCES Vendor Advisory URL: http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php Original Advisory URL: http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS) Previous Release: http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php XSS FAQ: http://www.cgisecurity.com/xss-faq.html OWASP Top 10: http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project CWE-79: http://cwe.mitre.org/data/definitions/79.html #yehg [08-20-2010] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 20)
- Message not available
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 25)
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability Christian Sciberras (Aug 25)
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 25)
- Re: phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability YGN Ethical Hacker Group (Aug 25)
- Message not available