Wednesday, January 26, 2011

phpMyAdmin 3.4.x, 3.4.0 beta 2 <= Stored Cross Site Scripting (XSS) Vulnerability


1. OVERVIEW
The phpMyAdmin web application 3.4.0 beta 2 and lower versions of
3.4.x were vulnerable to Cross Site Scripting.

2. PRODUCT DESCRIPTION
phpMyAdmin is a free software tool written in PHP intended to handle
the administration of MySQL over the World Wide Web.
phpMyAdmin supports a wide range of operations with MySQL.
The most frequently used operations are supported by the user
interface (managing databases, tables, fields, relations,
indexes, users, permissions, etc), while you still have the ability to
directly execute any SQL statement.

3. VULNERABILITY DESCRIPTION
The 'db' parameter in phpMyAdmin was not sanitized and an attacker can
inject XSS string in 'db' field when creating or renaming a database.
An attacker can create new database name or rename database name
through several means like SQL Injection in user's vulnerable web
applications or
compromise of user account through brute-force or bypassing CSRF protection.
Even though the phpMyAdmin uses httpOnly as a protection against
cookie theft via XSS, attacker could use XSS tunneling proxy to
manipulate database names and fields. From it, he could execute
arbitrary database commands to allow him higher access to the server.

4. VERSIONS AFFECTED
phpMyAdmin 3.4.0 beta 2 and lower versions of 3.4.x
Vendor confirmed this flaw did not exist before the 3.4 version family.
Thus, it is assumed 2.x and 3.3 <= versions are not affected.

5. PROOF-OF-CONCEPT/EXPLOIT
http://demo.phpmyadmin.net/trunk-config/index.php?db=%27%22--%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.4.0-b2-xss.jpg

6. IMPACT
Attackers can compromise currently logged-in user session, plant xss
backdoors and inject arbitrary SQL statements
(CREATE,INSERT,UPDATE,DELETE)
via crafted XSS payloads.

7. SOLUTION
For those who're using version phpMyAdmin 3.4.0 beta 2 and lower,
check out the latest commit (git pull).

8. VENDOR
phpMyAdmin (http://www.phpmyadmin.net)

9. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.

10. DISCLOSURE TIME-LINE
2011-01-26: notified vendor
2011-01-26: vendor released fix
2011-01-27: vulnerability disclosed

11. REFERENCES
Vendor Commit: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=f57daa0a59a0058a4b3be1bbdf1577b59d7d697a
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.4.0-beta2]_cross_site_scripting(XSS)
CWE-79
: http://cwe.mitre.org/data/definitions/79.html
Previous Releases:
http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2008-5.php
http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php
#yehg [2011-01-27]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd