phpMyAdmin index.php 不完全黑名单漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191364 漏洞类型 跨站脚本
发布时间 2007-03-10 更新时间 2007-03-10
CVE编号 CVE-2007-1395 CNNVD-ID CNNVD-200703-313
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/81883
https://cxsecurity.com/issue/WLB-2007030100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-313
|漏洞详情
phpMyAdmin2.8.0到2.9.2版本的index.php中存在不完全黑名单漏洞。远程攻击者可以通过注入任意的JavaScript或HTML到(1)db或(2)table参数值,执行跨站脚本攻击。该参数值被uppercase结束标识跟随,会绕过对lowercase的保护机制。
|漏洞EXP
This xss (with xsrf possibility) works only when logged in, but since in many places anonymous logins are allowed and many webhost companies offer just 1 or few phpmyadmins for a large number of users, i consider it worth to be published.

Theoretically it is possible to obtain and use the cookie and token variables (which are necessary to get this XSS working) but i haven't made a working poc atm, but i'm sure  others will have the capability to do so.

The problem is bad filtering of $db and $table where they only check for (lowercase) </script>-tag and not for the (uppercase)</SCRIPT>-tag to break out of the javascript.

More details can be found in an advisory found here:
http://www.virtuax.be/advisories/Advisory2-24012007.txt

possible attack strings could look like:
http://phpmyadmin.example.com/index.php?token=$token&db/table=';[XSS]
http://phpmyadmin.example.com/index.php?token=$token&db/table=</SCRIPT><
/head><body>[HTML]

in each case if you're running phpmyadmin <= 2.9 it's wise to update, stefan esser has even used phpmyadmin as an example in one of the bugs he found and reported in (his) mopb over a week ago(
http://www.php-security.org/MOPB/MOPB-02-2007.html  and http://www.phpmyadmin.net/)
|受影响的产品
phpMyAdmin phpMyAdmin 2.9.1 rc1 phpMyAdmin phpMyAdmin 2.9.1 phpMyAdmin phpMyAdmin 2.9 rc1 phpMyAdmin phpMyAdmin 2.9 .2 phpMyAdmin phpMyAdmin 2.9 .1 phpMyAdmin phpMyAdmin 2.9
|参考资料

来源:XF
名称:phpmyadmin-dbtable-xss(32858)
链接:http://xforce.iss.net/xforce/xfdb/32858
来源:MISC
链接:http://www.virtuax.be/advisories/Advisory2-24012007.txt
来源:BUGTRAQ
名称:20070307xssinphpmyadmin>=2.8.0and<2.10.0
链接:http://www.securityfocus.com/archive/1/archive/1/462139/100/0/threaded
来源:OSVDB
名称:35048
链接:http://osvdb.org/35048
来源:DEBIAN
名称:DSA-1370
链接:http://www.us.debian.org/security/2007/dsa-1370
来源:MANDRIVA
名称:MDKSA-2007:199
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:199
来源:SREASON
名称:2402
链接:http://securityreason.com/securityalert/2402
来源:SECUNIA
名称:26733
链接:http://secunia.com/advisories/26733