邪恶八进制信息安全团队技术讨论组's Archiver

ziqi 2005-12-18 12:28

[转载]phpMyAdmin server_privileges.php SQL Injection Vulnerabilities

文章作者:Alice Bryson
信息来源:abryson bytefocus com

[color=red][b]I. BACKGROUND[/b][/color]
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web.

[color=red][b]II. DESCRIPTION[/b][/color]
phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter.

[color=red][b]III. PUBLISH DATE[/b][/color]
2005-12-7

[color=red][b]IV. AUTHOR[/b][/color]
lwang (at) lwang (dot) org [email concealed]

[color=red][b]V. AFFECTED SOFTWARE[/b][/color]
phpMyAdmin 2.7.0 is confirmed to affected. [u]Older versions [/u] may also be affected.
The following vendors distribute vulnerable phpMyAdmin package:
The FreeBSD Project
Gentoo Foundation
Novell, Inc. (SuSE)
The Debian Project (SuSE)

[color=red][b]VI. ANALYSIS[/b][/color]
in server_privileges.php
line 27:
[code]if ( isset( $dbname ) ) {
//if ( preg_match( '/\\\\(?:_|%)/i', $dbname ) ) {
if ( preg_match( &#39;/(?<!\\\\)(?:_|%)/i&#39;, $dbname ) ) {
$dbname_is_wildcard = true;
} else {
$dbname_is_wildcard = false;
}
}
parameter $dbname is not validate properly.[/code]
line 1197:
[code]if (isset($viewing_mode) && $viewing_mode == &#39;db&#39;) {
$db = $checkprivs;
$url_query .= &#39;&goto=db_operations.php&#39;;

// Gets the database structure
$sub_part = &#39;_structure&#39;;
require(&#39;./db_details_db_info.php&#39;);
echo "\n";
} else {
require(&#39;./server_links.inc.php&#39;);
}[/code]
line 1241:
[code]if ( empty( $adduser ) && empty( $checkprivs ) ) {[/code]

parameter $checkprivs not validate properly.

[color=red][b]VII. Proof of Concept[/b][/color]
[url]http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs=[/url]&#39;
[url]http://victim/phpmyadmin/server_privileges.php?server=1&hostname=[/url]&#39;&usern
ame=1&dbname=1&tablename=1

[color=red][b]VIII. SOLUTION[/b][/color]
I have not contact the vendor, and no aware of any security patch till now.

[color=red][b]IX. REFERENCE [/b] [/color]
[url]http://www.phpmyadmin.net[/url]

charley 2005-12-18 16:56

如果要验证的话。怎么弄。。。。

页: [1]
© 1999-2008 EvilOctal Security Team