PHPMyAdmin多个跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193327 漏洞类型 输入验证
发布时间 2006-09-28 更新时间 2007-01-12
CVE编号 CVE-2006-5116 CNNVD-ID CNNVD-200610-018
漏洞平台 N/A CVSS评分 5.1
|漏洞来源
https://www.securityfocus.com/bid/20253
https://cxsecurity.com/issue/WLB-2006100043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-018
|漏洞详情
phpMyAdmin中存在多个跨站请求伪造漏洞,远程攻击者可以通过以下方式作为其他用户执行未经授权的操作:(1)即使是动态变量求值也在URL中直接设置令牌,(2)通过与(a)libraries/common.lib.php、(b)session.inc.php和(c)url_generating.lib.php相关的_REQUEST数组,取消设置任意变量。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hardened-PHP Project
                        www.hardened-php.net

-= Security  Advisory =-

Advisory: phpMyAdmin Multiple CSRF Vulnerabilities
 Release Date: 2006/10/01
Last Modified: 2006/10/01
       Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]

Application: phpMyAdmin <= 2.9.0
     Severity: Multiple vulnerabilities within phpMyAdmin allow
               bypassing it's protection against CSRF 
         Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_072006.130.html

Overview:

Quote from http://www.phpmyadmin.net
   "phpMyAdmin is a tool written in PHP intended to handle the 
   administration of MySQL over the Web. Currently it can create and 
   drop databases, create/drop/alter tables, delete/edit/add fields, 
   execute any SQL statement, manage keys on fields, manage privileges,
   export data into various formats and is available in 50 languages."

During an audit of phpMyAdmin's protection against CSRF: Cross Site
   Request Forgeries we discovered that there were multiple ways to
   bypass the protection.
   
   The failure of phpMyAdmin's CSRF protection obviously means that a
   potential attacker can use CSRF attacks to trick the browser of a
   phpMyAdmin user to execute any kind of SQL queries on the victims 
   database server.

Details:

phpMyAdmin uses a random token that is stored within the user's
   session to protect against Cross Site Request Forgeries. CSRF
   basically means that a website tricks the browser of a visiting
   user into issuing HTTP requests against another site that does
   ensure, that the request was intended.
   
   In case of phpMyAdmin a CSRF vulnerability obviously means that
   another site could trick the browser of a phpMyAdmin user into
   issuing arbitrary SQL queries against his database.
   
   In phpMyAdmin the CSRF protection works like this
   
      1) Start PHP's Session Handling
      2) Is there already a token assigned to the session?
         -> No: create a random token
      3) Is supplied token equal to session token?
         -> No: unset() all request variables not in white-list
      
   While this design could actually work the implementation in
   phpMyAdmin was vulnerable to multiple attacks because before 
   and during the 3 steps mentioned several modifications to the
   request variable arrays are made and these variables get
   globalised. (This is done within the PHP code and has nothing
   to do with register_globals)
   
   The attacks we found attack different phases of the CSRF
   protection. The following is an overview of the vulnerabilities
   within the 3 phases. For each phase several different attacks
   are possible. Several of the attacks require GPC variables
   with names that are equal to PHP's superglobals, therefore
   these attacks are automatically stopped by our Suhosin extension.
   
   [-- Token Verification --]
   
   The token verification could be tricked because there existed
   several flaws in the globalisation routine that allowed 
   destroying the content of the session variables. Additionally
   the special handling of session variables during while
   register_globals is activated allowed directly setting the
   session token from within the URL.
   Obviously it is very easy to "guess" the required token when
   the token is empty or is set to a value of his choice.
   
   [-- Determine which variables to unset --]
   
   The _REQUEST array was used to determine which variables should
   be unset() but phpMyAdmin contained intended and unintended ways
   that allowed overwriting the content of the _REQUEST array.
   In the new version all GPC arrays are used for this process and 
   the unintended way to destroy superglobal arrays within the 
   globalisation was closed.
      
   [-- Unset variables --]
   
   Unset() is a dangerous function because older PHP versions
   (that are still installed on most servers) contained 
   vulnerabilities that allowed bypassing it.
   
   For further information take a look at:
   
   http://www.hardened-php.net/critical_php_vulnerability_explained.124.htm
l

Proof of Concept:

The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.

Disclosure Timeline:

23. September 2006 - Contacted phpMyAdmin developers by email
   01. October 2006   - Updated phpMyAdmin was released
   01. October 2006   - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the newest version of
   phpMyAdmin 2.9.0.1 which you can download at:

http://www.phpmyadmin.net/home_page/downloads.php
   
   As usual we very strongly recommend to install our Suhosin PHP 
   extension. It disallows request variables with the same name
   as PHP superglobal arrays. This stops several of the attacks
   described in this advisory.
   
   Grab your copy and more information at:
   
   http://www.hardened-php.net/suhosin/index.html

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFIA0sRDkUzAqGSqERAkvZAKDUgtJio2X8pXqW82tGrBVDTZ7giwCfV00p
9VZ7BjLg4UkiO7WC8RohqOo=
=+flk
-----END PGP SIGNATURE-----
|受影响的产品
S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 10.1
|参考资料

来源:BID
名称:20253
链接:http://www.securityfocus.com/bid/20253
来源:prdownloads.sourceforge.net
链接:http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download
来源:XF
名称:phpmyadmin-multiple-csrf(29301)
链接:http://xforce.iss.net/xforce/xfdb/29301
来源:BUGTRAQ
名称:20061001Advisory07/2006:phpMyAdminMultipleCSRFVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/447491/100/0/threaded
来源:MISC
链接:http://www.hardened-php.net/advisory_072006.130.html
来源:SECUNIA
名称:22126
链接:http://secunia.com/advisories/22126
来源:VIM
名称:20061003ConcerningCSRFinphpMyAdmin2.9.0.1(CVE-2006-5116)
链接:http://attrition.org/pipermail/vim/2006-October/001067.html
来源:www.phpmyadmin.net
链接:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5
来源:DEBIAN
名称:DSA-1207
链接:http://www.debian.org/security/2006/dsa-1207
来源:SREASON
名称:1677
链接:http://securityreason.com/securityalert/1677
来源:SECUNIA
名称:23086
链接:http://secunia.com/advisories/23086
来源:SECUNIA
名称:22781
链接:http://secunia.com/adviso