phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.
I. BACKGROUND
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web.
II. DESCRIPTION
phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter.
III. PUBLISH DATE
2005-12-7
IV. AUTHOR
lwang (at) lwang (dot) org [email concealed]
V. AFFECTED SOFTWARE
phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be affected.
The following vendors distribute vulnerable phpMyAdmin package:
The FreeBSD Project
Gentoo Foundation
Novell, Inc. (SuSE)
The Debian Project (SuSE)
VI. ANALYSIS
in server_privileges.php
line 27:
if ( isset( $dbname ) ) {
//if ( preg_match( '/\\(?:_|%)/i', $dbname ) ) {
if ( preg_match( '/(?<!\\)(?:_|%)/i', $dbname ) ) {
$dbname_is_wildcard = true;
} else {
$dbname_is_wildcard = false;
}
}
parameter $dbname is not validate properly.
line 1197:
if (isset($viewing_mode) && $viewing_mode == 'db') {
$db = $checkprivs;
$url_query .= '&goto=db_operations.php';
// Gets the database structure
$sub_part = '_structure';
require('./db_details_db_info.php');
echo "n";
} else {
require('./server_links.inc.php');
}
line 1241:
if ( empty( $adduser ) && empty( $checkprivs ) ) {
parameter $checkprivs not validate properly.
VII. Proof of Concept
http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='
http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&usern
ame=1&dbname=1&tablename=1
VIII. SOLUTION
I have not contact the vendor, and no aware of any security patch till now.
IX. REFERENCE
http://www.phpmyadmin.net
SecurityReason - UPDATE :
phpMyAdmin's team answer to vulnerability announcement
of Dec 17, 2005
--------------------------------------------------------------------------------
We don't think that this is a real threat. The server_privileges.php
script checks at the beginning if the user is privileged. So, for this
attack to work, the victim's phpMyAdmin installation would have to be
set as to allow any user to auto-login as a privileged user! If this is
the case, this phpMyAdmin installation is wide open and this situation
has to be fixed by the person who configured phpMyAdmin.
--------------------------------------------------------------------------