---------------------------------------------------------------------------------
|    ____   ____.__         __                           |
|    \   \ /   /|__|_______/  |_ __ _______  ___  ___    |
|     \   Y   / |  \_  __ \   __\  |  \__  \ \  \/  /    |
|      \     /  |  ||  | \/|  | |  |  // __ \_>    <     |
|       \___/   |__||__|   |__| |____/(____  /__/\_ \    |
|                                        \/      \/    |
|           Security without illusions        |
|           www.virtuax.be        |
|                    |
---------------------------------------------------------------------------------


        Application: Phpmyadmin
      Vulnerable Versions: <= v2.8.1
      Vulnerability: XSS

             Vendor: http://www.phpmyadmin.net
      Vendor Status: notified

        Found: 11-01-2007
      Public Release Date: 12-01-2007
      Last modified: 12-01-2007
             Author: AlFa
   
  reference: http://www.virtuax.be/advisories/Advisory1-12012007.txt

=================================================================================

Shouts to Ciri, ShadoW, RedFern, Dreamer and the rest of the Virtuax Community =)

=================================================================================



I. Background
-------------

"phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL 
 over the Web. Currently it can create and drop databases, create/drop/alter tables, 
 delete/edit/add fields, execute any SQL statement, manage keys on fields, manage 
 privileges,export data into various formats and is available in 50 languages."
                by phpmyadmin.net


This issue was fixed in phpmyadmin v2.8.2

[quote=changelog]
2006-06-30 Marc Delisle  <lem9@users.sourceforge.net>
    * libraries/common.lib.php: escape also single quotes 
    ### 2.8.2 released from QA_2_8 

2006-06-28 Marc Delisle  <lem9@users.sourceforge.net>
    * libraries/common.lib.php: escape allowed parameters from non-token 
      requests 
[/quote]



II. Vulnerability
-----------------

Originally phpMyAdmin < 2.6.2-rc1 contained a XSS vulnerability caused due to
missing validation of input supplied to "convcharset" variable (reference: 
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3). This problem was
solved by sanitizing $convcharset by pulling it trough the PMA_sanitize() function.
However that function only checks for > and < and and neglects quotes in all versions
prior to 2.8.1. Here is some code:


[code=./libraries/common.lib.php]

// XSS
if (isset($convcharset)) {
    $convcharset = PMA_sanitize($convcharset);
}

[/code]



[code=./libraries/sanitizing.lib.php]

function PMA_sanitize($message)
{
    $replace_pairs = array(
        '<'         => '<',
        '>'         => '>',
        '[i]'       => '<em>',      // deprecated by em
        '[/i]'      => '</em>',     // deprecated by em
        '[em]'      => '<em>',
        '[/em]'     => '</em>',
        '[b]'       => '<strong>',  // deprecated by strong
        '[/b]'      => '</strong>', // deprecated by strong
        '[strong]'  => '<strong>',
        '[/strong]' => '</strong>',
        '[tt]'      => '<code>',    // deprecated by CODE or KBD
        '[/tt]'     => '</code>',   // deprecated by CODE or KBD
        '[code]'    => '<code>',
        '[/code]'   => '</code>',
        '[kbd]'     => '<kbd>',
        '[/kbd]'    => '</kbd>',
        '[br]'      => '<br />',
        '[/a]'      => '</a>',
    );
    return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));
}

[/code]


Now because we can't use > or < we can't escape from the input field, 
so we have to use attributes to get this trick working. We can use the 
attribute style to insert some css code and call javascript 
just like we can do in a regular cascade style sheet. eg:
 
    STYLE="background-image: url(javascript:alert('XSS'))"



IIa. Affected Browsers
----------------------

All versions of Firefox seem to be unvulnerable to this attack (1.5 and 2.0 tested).

Opera also seems to be safe (v8.53 and v9.10 tested)


IE 6.x is not safe but IE 7.x is. Not yet tested: IE 5.x (but IE 5.2 for Mac seems to be unvulnerable).



III. PoC
--------

https://phpmyadmin.example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22



IV. Solution
------------

  A. Quickfix
    Replace this code (./main.php):

      <input type="hidden" name="convcharset" value="<?php echo $convcharset; ?>" />

    with this code:
      
      <input type="hidden" name="convcharset" value="<?php echo addslashes($convcharset); ?>" />

  
  B. upgrade to the new(er/est) version of phpmyadmin which you can find here: 
    http://www.phpmyadmin.net/home_page/downloads.php



V. Timeline
-----------

11-01-2007: vulnerability found + contact with vendor
12-01-2007: public disclosure + vendor removed old (vulnerable) versions from download section



Copyright 2007 by Alfa from Virtuax.be All rights reserved.