=================================================================================== phpMyAdmin 3.4.x, 3.4.0 beta 2 <= Stored Cross Site Scripting (XSS) Vulnerability =================================================================================== 1. OVERVIEW The phpMyAdmin web application 3.4.0 beta 2 and lower versions of 3.4.x were vulnerable to Cross Site Scripting. 2. PRODUCT DESCRIPTION phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement. 3. VULNERABILITY DESCRIPTION The 'db' parameter in phpMyAdmin was not sanitized and an attacker can inject XSS string in 'db' field when creating or renaming a database. An attacker can create new database name or rename database name through several means like SQL Injection in user's vulnerable web applications or compromise of user account through brute-force or bypassing CSRF protection. Even though the phpMyAdmin uses httpOnly as a protection against cookie theft via XSS, attacker could use XSS tunneling proxy to manipulate database names and fields. From it, he could execute arbitrary database commands to allow him higher access to the server. 4. VERSIONS AFFECTED phpMyAdmin 3.4.0 beta 2 and lower versions of 3.4.x Vendor confirmed this flaw did not exist before the 3.4 version family. Thus, it is assumed 2.x and 3.3 <= versions are not affected. 5. PROOF-OF-CONCEPT/EXPLOIT http://demo.phpmyadmin.net/trunk-config/index.php?db=%27%22--%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.4.0-b2-xss.jpg 6. IMPACT Attackers can compromise currently logged-in user session, plant xss backdoors and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. 7. SOLUTION For those who're using version phpMyAdmin 3.4.0 beta 2 and lower, check out the latest commit (git pull). 8. VENDOR phpMyAdmin (http://www.phpmyadmin.net) 9. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 10. DISCLOSURE TIME-LINE 2011-01-26: notified vendor 2011-01-26: vendor released fix 2011-01-27: vulnerability disclosed 11. REFERENCES Vendor Commit: http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=f57daa0a59a0058a4b3be1bbdf1577b59d7d697a Original Advisory URL: http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.4.0-beta2]_cross_site_scripting(XSS) CWE-79: http://cwe.mitre.org/data/definitions/79.html Previous Releases: http://www.phpmyadmin.net/home_page/security/PMASA-2010-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2008-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php #yehg [2011-01-27] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/