-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: phpMyAdmin Local File Inclusion Vulnerability Release Date: 2005/10/22 Last Modified: 2005/10/22 Author: Stefan Esser [sesser@hardened-php.net] Application: phpMyAdmin <= 2.6.4-pl2 Severity: A design flaw within phpMyAdmin allows inclusion of arbitrary files, which usually leads to remote code execution Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_162005.73.html Overview: Quote from www.phpmyadmin.net: "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges,export data into various formats and is available in 50 languages." And audit of phpMyAdmin revealed a design flaw in the way phpMyAdmin includes it's register_globals compatibility layer, that allows inclusion of arbitrary local files, which usually leads to remote code execution. *** NOTE: This vulnerability is not exploitable if you are running PHP with our Hardening-Patch applied Details: phpMyAdmin comes with a register_globals emulation layer within grab_globals.php, to ensure compatibility with hosts where this feature is turned off. This file is usually included at the very beginning, so that globalizing the request variables does not overwrite already used script variables. When the _GET and _POST variables are extracted it is even ensured, that certain names cannot be overwritten. This safety checks are not in effect, when the _FILES array, which holds information about uploaded files, is merged into the global namespace. Unfortunately phpMyAdmin comes with a few files that were not meant to be called directly and that do not include grab_globals.php but common.lib.php in the beginning. This results f.e. in the following include tree: - db_details_db_info.php \___ libraries/common.lib.php \___ libraries/select_lang.lib.php \ \___ libraries/grab_globals.php \ \___ lang/a-language.inc.php \___ ... From this one can see, that grab_globals.php will be included by select_lang.lib.php, if it is not included in the very beginning. This has the bad side effect, that the globalisation of the request variables is executed *after* common.lib.php has loaded the $cfg configuration array. In combination with the fact, that the _FILES array is not protected against keys with the name 'cfg', it is possible to overwrite the content of the configuration array in a way, that empties the content of the $cfg['ThemePath'] variable. This variable contains the path to a directory, that contains the supported themes. With the same overwrite it is possible to fill the variable $cfg['ThemeManager'] with a value, which evaluates to true. The idea behind this overwrite is to exploit an include statement which tries to verify the existance of a theme, selected through f.e. a supplied cookie variable: @include($cfg['ThemePath'].'/'.$GLOBALS['theme'].'/info.inc.php'); Due to the fact, that $cgf['ThemePath'] is empty and the global variable theme is filled with the content of a user supplied cookie, it is possible to use either a %00 or a realpath() truncation attack on the include filename to include any file, that can be accessed by the webserver. At this point a few things have to be noted: 1) When reading the theme name from the cookie directory the value is sanitizied against directory traversal attacks by removing .. from the filename. However the attack described here results in an absolute filepath beeing included, therefore any protection against directory traversal attacks is worthless. 2) A %00 filename truncation attack will only work if magic_quotes_gpc is turned off, which is however the recommended setting. A realpath() truncation attack on the other hand will only work agains malfunctional realpath() implementation, which can be found in f.e. older OpenBSD versions. 3) This vulnerability *cannot* be exploited, when your server uses our PHP Hardening-Patch, because it has a build in protection against such include-filename truncation attacks. Proof of Concept: The Hardened-PHP project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 15. October 2005 - Contacted phpMyAdmin developers by email 21. October 2005 - Vendor notifies me about planned release 22. October 2005 - Release of new phpMyAdmin version 22. October 2005 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the new version of phpMyAdmin which you can download at: http://www.phpmyadmin.net/home_page/downloads.php GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFDWki0RDkUzAqGSqERAn2tAJ9obBXrgmTnYhuE9/jfxddfHbCrhwCggf8T 11j2W1NBEeiMg7IIgCmVjxg= =VqEK -----END PGP SIGNATURE-----