--------------------------------------------------------------------------------- | ____ ____.__ __ | | \ \ / /|__|_______/ |_ __ _______ ___ ___ | | \ Y / | \_ __ \ __\ | \__ \ \ \/ / | | \ / | || | \/| | | | // __ \_> < | | \___/ |__||__| |__| |____/(____ /__/\_ \ | | \/ \/ | | Security without illusions | | www.virtuax.be | | | --------------------------------------------------------------------------------- Application: Phpmyadmin Vulnerable Versions: <= v2.8.1 Vulnerability: XSS Vendor: http://www.phpmyadmin.net Vendor Status: notified Found: 11-01-2007 Public Release Date: 12-01-2007 Last modified: 12-01-2007 Author: AlFa reference: http://www.virtuax.be/advisories/Advisory1-12012007.txt ================================================================================= Shouts to Ciri, ShadoW, RedFern, Dreamer and the rest of the Virtuax Community =) ================================================================================= I. Background ------------- "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges,export data into various formats and is available in 50 languages." by phpmyadmin.net This issue was fixed in phpmyadmin v2.8.2 [quote=changelog] 2006-06-30 Marc Delisle * libraries/common.lib.php: escape also single quotes ### 2.8.2 released from QA_2_8 2006-06-28 Marc Delisle * libraries/common.lib.php: escape allowed parameters from non-token requests [/quote] II. Vulnerability ----------------- Originally phpMyAdmin < 2.6.2-rc1 contained a XSS vulnerability caused due to missing validation of input supplied to "convcharset" variable (reference: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3). This problem was solved by sanitizing $convcharset by pulling it trough the PMA_sanitize() function. However that function only checks for > and < and and neglects quotes in all versions prior to 2.8.1. Here is some code: [code=./libraries/common.lib.php] // XSS if (isset($convcharset)) { $convcharset = PMA_sanitize($convcharset); } [/code] [code=./libraries/sanitizing.lib.php] function PMA_sanitize($message) { $replace_pairs = array( '<' => '<', '>' => '>', '[i]' => '', // deprecated by em '[/i]' => '', // deprecated by em '[em]' => '', '[/em]' => '', '[b]' => '', // deprecated by strong '[/b]' => '', // deprecated by strong '[strong]' => '', '[/strong]' => '', '[tt]' => '

',    // deprecated by CODE or KBD
        '[/tt]'     => '

', // deprecated by CODE or KBD '[code]' => '

',
        '[/code]'   => '

', '[kbd]' => '', '[/kbd]' => '', '[br]' => '
', '[/a]' => '', ); return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '', strtr($message, $replace_pairs)); } [/code] Now because we can't use > or < we can't escape from the input field, so we have to use attributes to get this trick working. We can use the attribute style to insert some css code and call javascript just like we can do in a regular cascade style sheet. eg: STYLE="background-image: url(javascript:alert('XSS'))" IIa. Affected Browsers ---------------------- All versions of Firefox seem to be unvulnerable to this attack (1.5 and 2.0 tested). Opera also seems to be safe (v8.53 and v9.10 tested) IE 6.x is not safe but IE 7.x is. Not yet tested: IE 5.x (but IE 5.2 for Mac seems to be unvulnerable). III. PoC -------- https://phpmyadmin.example.com/?convcharset=%22%20STYLE=%22background-image:%20url(javascript:alert('XSS'))%22%20r=%22 IV. Solution ------------ A. Quickfix Replace this code (./main.php): with this code: B. upgrade to the new(er/est) version of phpmyadmin which you can find here: http://www.phpmyadmin.net/home_page/downloads.php V. Timeline ----------- 11-01-2007: vulnerability found + contact with vendor 12-01-2007: public disclosure + vendor removed old (vulnerable) versions from download section Copyright 2007 by Alfa from Virtuax.be All rights reserved.