what you don't know can hurt you

phpMyAdmin 4.4.6 Man-In-The-Middle

phpMyAdmin 4.4.6 Man-In-The-Middle
Posted May 14, 2015
Authored by Maksymilian Arciemowicz

phpMyAdmin version 4.4.6 suffers from a man-in-the-middle vulnerability when reaching out to github's API.

tags | advisory
advisories | CVE-2015-3903
MD5 | 81e9e5fd359dc67b1c3ad8ee81cdc874

phpMyAdmin 4.4.6 Man-In-The-Middle

Change Mirror Download
phpMyAdmin 4.4.6 Man-In-the-Middle to API Github (CVE-2015-3903)
Author: Maksymilian Arciemowicz from https://cxsecurity.com
Issue type: CWE-295

Source URL:
http://cxsecurity.com/issue/WLB-2015050095

--- Description ---
As we can read

CURLOPT_SSL_VERIFYPEER option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
WARNING: disabling verification of the certificate allows bad guys to man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point.

CURLOPT_SSL_VERIFYHOST option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
When the verify value is 0, the connection succeeds regardless of the names in the certificate. Use that ability with caution!


--- MItM in libraries/Config.class.php ---

Let's see libraries/Config.class.php file

-------------------------------
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Config.class.php
..
// check if commit exists in Github
if ($commit !== false
&& isset($_SESSION['PMA_VERSION_REMOTECOMMIT_' . $hash])
) {
$is_remote_commit = $_SESSION['PMA_VERSION_REMOTECOMMIT_' . $hash];
} else {
$link = 'https://api.github.com/repos/phpmyadmin/phpmyadmin/git/commits/'
. $hash;
$is_found = $this->checkHTTP($link, ! $commit);
..
$link = 'https://api.github.com/repos/phpmyadmin/phpmyadmin'
. '/git/trees/' . $branch;
$is_found = $this->checkHTTP($link);
..
-------------------------------

where checkHTTP() is vulnerable for MItM attack

https://cwe.mitre.org/data/definitions/295.html

-------------------------------
..
function checkHTTP($link, $get_body = false)
{
if (! function_exists('curl_init')) {
return null;
}
$ch = curl_init($link);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); <=============== MItM
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); <=============== MItM
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_USERAGENT, 'phpMyAdmin/' . PMA_VERSION);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
if (! defined('TESTSUITE')) {
session_write_close();
}
$data = @curl_exec($ch);
if (! defined('TESTSUITE')) {
ini_set('session.use_only_cookies', '0');
ini_set('session.use_cookies', '0');
ini_set('session.use_trans_sid', '0');
ini_set('session.cache_limiter', 'nocache');
session_start();
}
if ($data === false) {
return null;
}
$httpOk = 'HTTP/1.1 200 OK';
$httpNotFound = 'HTTP/1.1 404 Not Found';
..
-------------------------------

Example target URL:
https://api.github.com/repos/phpmyadmin/phpmyadmin/git/trees/master

--- Credit ---
Issue discovered by Maksymilian Arciemowicz from http://cxsecurity.com by using cIFrex (static code analysis tool http://cifrex.org ).

--- Patch ---
http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php
http://cxsecurity.com/issue/WLB-2015050095
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close