phpMyAdmin 4.4.6 Man-In-the-Middle to API Github

2015.05.14
Risk: Medium
Local: No
Remote: Yes


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

phpMyAdmin 4.4.6 Man-In-the-Middle to API Github (CVE-2015-3903) Author: Maksymilian Arciemowicz from https://cxsecurity.com Issue type: CWE-295 --- Description --- As we can read CURLOPT_SSL_VERIFYPEER option. http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html WARNING: disabling verification of the certificate allows bad guys to man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point. CURLOPT_SSL_VERIFYHOST option. http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html When the verify value is 0, the connection succeeds regardless of the names in the certificate. Use that ability with caution! --- MItM in libraries/Config.class.php --- Let's see libraries/Config.class.php file ------------------------------- https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Config.class.php ... // check if commit exists in Github if ($commit !== false && isset($_SESSION['PMA_VERSION_REMOTECOMMIT_' . $hash]) ) { $is_remote_commit = $_SESSION['PMA_VERSION_REMOTECOMMIT_' . $hash]; } else { $link = 'https://api.github.com/repos/phpmyadmin/phpmyadmin/git/commits/' . $hash; $is_found = $this->checkHTTP($link, ! $commit); ... $link = 'https://api.github.com/repos/phpmyadmin/phpmyadmin' . '/git/trees/' . $branch; $is_found = $this->checkHTTP($link); ... ------------------------------- where checkHTTP() is vulnerable for MItM attack https://cwe.mitre.org/data/definitions/295.html ------------------------------- ... function checkHTTP($link, $get_body = false) { if (! function_exists('curl_init')) { return null; } $ch = curl_init($link); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); <=============== MItM curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); <=============== MItM curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_USERAGENT, 'phpMyAdmin/' . PMA_VERSION); curl_setopt($ch, CURLOPT_TIMEOUT, 5); if (! defined('TESTSUITE')) { session_write_close(); } $data = @curl_exec($ch); if (! defined('TESTSUITE')) { ini_set('session.use_only_cookies', '0'); ini_set('session.use_cookies', '0'); ini_set('session.use_trans_sid', '0'); ini_set('session.cache_limiter', 'nocache'); session_start(); } if ($data === false) { return null; } $httpOk = 'HTTP/1.1 200 OK'; $httpNotFound = 'HTTP/1.1 404 Not Found'; ... ------------------------------- Example target URL: https://api.github.com/repos/phpmyadmin/phpmyadmin/git/trees/master --- Credit --- Issue discovered by Maksymilian Arciemowicz from http://cxsecurity.com by using cIFrex (static code analysis tool http://cifrex.org ). --- Patch --- http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php

References:

http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php
https://github.com/phpmyadmin/phpmyadmin/commit/5ebc4daf131dd3bd646326267f3e765d0249bbb4
http://cifrex.org/?scanIt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top