[41718] in bugtraq
phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.
daemon@ATHENA.MIT.EDU (Alice Bryson)
Sat Dec 17 19:39:14 2005
From: "Alice Bryson" <abryson@bytefocus.com>
To: <bugtraq@securityfocus.com>
Date: Sat, 17 Dec 2005 09:39:36 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="UTF-8"
Message-ID: <DEV-LOUIS-WIN4KhAfd00000002@lwang.org>
Content-Transfer-Encoding: 8bit
phpMyAdmin server_privileges.php SQL Injection Vulnerabilities.
I. BACKGROUND
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web.
II. DESCRIPTION
phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter.
III. PUBLISH DATE
2005-12-7
IV. AUTHOR
lwang@lwang.org
V. AFFECTED SOFTWARE
phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be affected.
The following vendors distribute vulnerable phpMyAdmin package:
The FreeBSD Project
Gentoo Foundation
Novell, Inc. (SuSE)
The Debian Project (SuSE)
VI. ANALYSIS
in server_privileges.php
line 27:
if ( isset( $dbname ) ) {
//if ( preg_match( '/\\\\(?:_|%)/i', $dbname ) ) {
if ( preg_match( '/(?<!\\\\)(?:_|%)/i', $dbname ) ) {
$dbname_is_wildcard = true;
} else {
$dbname_is_wildcard = false;
}
}
parameter $dbname is not validate properly.
line 1197:
if (isset($viewing_mode) && $viewing_mode == 'db') {
$db = $checkprivs;
$url_query .= '&goto=db_operations.php';
// Gets the database structure
$sub_part = '_structure';
require('./db_details_db_info.php');
echo "\n";
} else {
require('./server_links.inc.php');
}
line 1241:
if ( empty( $adduser ) && empty( $checkprivs ) ) {
parameter $checkprivs not validate properly.
VII. Proof of Concept
http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='
http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username=1&dbname=1&tablename=1
VIII. SOLUTION
I have not contact the vendor, and no aware of any security patch till now.
IX. REFERENCE
http://www.phpmyadmin.net
