phpMyAdmin server_privileges.php SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1196869 漏洞类型 SQL注入
发布时间 2005-12-19 更新时间 2006-06-07
CVE编号 CVE-2005-4349 CNNVD-ID CNNVD-200512-420
漏洞平台 N/A CVSS评分 6.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2005120050
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-420
|漏洞详情
**争议**phpMyAdmin2.7.0中的server_privileges.php存在SQL注入漏洞,远程认证用户可通过(1)dbname和(2)checkprivs参数执行任意SQL命令。注:厂商和第三方就此问题有争议,指出此程序的主要功能是为认证的用户提供查询支持,没有进行自动登录配置是不存在外部攻击情形的。因此,这个问题很可能被拒绝。然而,已有一个密切相关的CSRF问题被指定为CVE-2005-4450。
|漏洞EXP
phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.

I. BACKGROUND
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web.

II. DESCRIPTION
phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter.

III. PUBLISH DATE
2005-12-7

IV. AUTHOR
lwang (at) lwang (dot) org [email concealed]

V. AFFECTED SOFTWARE
phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be affected.
The following vendors distribute vulnerable phpMyAdmin package:
The FreeBSD Project 
Gentoo Foundation 
Novell, Inc. (SuSE) 
The Debian Project (SuSE)

VI. ANALYSIS
in server_privileges.php
line 27:
if ( isset( $dbname ) ) {
    //if ( preg_match( '/\\(?:_|%)/i', $dbname ) ) {
    if ( preg_match( '/(?<!\\)(?:_|%)/i', $dbname ) ) {
        $dbname_is_wildcard = true;
    } else {
        $dbname_is_wildcard = false;
    }
}
parameter $dbname is not validate properly.

line 1197:
if (isset($viewing_mode) && $viewing_mode == 'db') {
     $db = $checkprivs;
     $url_query .= '&goto=db_operations.php';

// Gets the database structure
     $sub_part = '_structure';
     require('./db_details_db_info.php');
     echo "n";
} else {
    require('./server_links.inc.php');
}

line 1241: 
if ( empty( $adduser ) && empty( $checkprivs ) ) {

parameter $checkprivs not validate properly.

VII. Proof of Concept
http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='
http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&usern
ame=1&dbname=1&tablename=1

VIII. SOLUTION
I have not contact the vendor, and no aware of any security patch till now.

IX. REFERENCE 
http://www.phpmyadmin.net


SecurityReason - UPDATE :

phpMyAdmin's team answer to vulnerability announcement
of Dec 17, 2005

--------------------------------------------------------------------------------
We don't think that this is a real threat. The server_privileges.php 
script checks at the beginning if the user is privileged. So, for this 
attack to work, the victim's phpMyAdmin installation would have to be 
set as to allow any user to auto-login as a privileged user! If this is 
the case, this phpMyAdmin installation is wide open and this situation 
has to be fixed by the person who configured phpMyAdmin.
--------------------------------------------------------------------------
|参考资料

来源:BUGTRAQ
名称:20051219aboutphpMyAdmin'sserver_privileges.phpannouncedvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/419832/100/0/threaded
来源:BUGTRAQ
名称:20051219Re:phpMyAdminserver_privileges.phpSQLInjectionVulnerabilities.
链接:http://www.securityfocus.com/archive/1/archive/1/419829/100/0/threaded
来源:VUPEN
名称:ADV-2005-2995
链接:http://www.frsirt.com/english/advisories/2005/2995
来源:SECUNIA
名称:18113
链接:http://secunia.com/advisories/18113
来源:BUGTRAQ
名称:20051217phpMyAdminserver_privileges.phpSQLInjectionVulnerabilities.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113486637512821&w=2
来源:SREASON
名称:270
链接:http://securityreason.com/securityalert/270