Did you read the advisory that contains vendor advisory link - http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ?
On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras <[email protected]> wrote: > Since I didn't see this mentioned even on their website, (phpmyadmin.net), I > would like to ask, are these vulnerabilities existent in world-public OR > registered users part (OR both)? > > Regards, > Chris. > > > > > > > On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group <[email protected]> > wrote: >> >> >> ============================================================================== >> phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability >> >> ============================================================================== >> >> >> 1. OVERVIEW >> >> The phpMyAdmin web application was vulnerable to Cross Site Scripting >> vulnerability. >> >> >> 2. PRODUCT DESCRIPTION >> >> phpMyAdmin is a free software tool written in PHP intended to handle >> the administration of MySQL over the World Wide Web. >> phpMyAdmin supports a wide range of operations with MySQL. >> The most frequently used operations are supported by the user >> interface (managing databases, tables, fields, relations, >> indexes, users, permissions, etc), while you still have the ability to >> directly execute any SQL statement. >> >> >> 3. VULNERABILITY DESCRIPTION >> >> Some URLs in phpMyAdmin do not properly escape user inputs that lead >> to cross site scripting vulnerability. >> For more information about this kind of vulnerability, see OWASP Top >> 10 - A2, WASC-8 and >> CWE-79: Improper Neutralization of Input During Web Page Generation >> ('Cross-site Scripting'). >> >> >> 4. VERSIONS AFFECTED >> >> phpMyAdmin 3.3.5 and lower >> phpMyAdmin 2.11.10 and lower >> >> >> 5. PROOF-OF-CONCEPT/EXPLOIT >> >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg >> >> And full list of URLs (of both <probably> unexploitable/exploitable) >> that fail to html escape user inputs: >> >> UR: http://target/phpmyadmin/db_search.php >> Affected Parameter(s): field_str >> >> URL: http://target/phpmyadmin/db_sql.php >> Affected Parameter(s): QUERY_STRING, delimiter >> >> URL: http://target/phpmyadmin/db_structure.php >> Affected Parameter(s): sort >> >> URL: http://target/phpmyadmin/js/messages.php >> Affected Parameter(s): db >> >> URL: http://target/phpmyadmin/server_databases.php >> Affected Parameter(s): sort_by >> >> URL: http://target/phpmyadmin/server_privileges.php >> Affected Parameter(s): QUERY_STRING, checkprivs, dbname, >> pred_tablename, selected_usr[], tablename , username >> >> URL: http://target/phpmyadmin/setup/config.php >> Affected Parameter(s): DefaultLang >> >> URL: http://target/phpmyadmin/sql.php >> Affected Parameter(s): QUERY_STRING, cpurge, >> goto,purge,purgekey,table,zero_rows >> >> URL: http://target/phpmyadmin/tbl_replace.php >> Affected (Dynamic) Parameter(s): >> fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db], >> fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac] >> >> >> 6. IMPACT >> >> Attackers can compromise currently logged-in user session and inject >> arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) >> via crafted XSS payloads. >> >> >> 7. SOLUTION >> >> Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1 >> >> >> 8. VENDOR >> >> phpMyAdmin (http://www.phpmyadmin.net) >> >> >> 9. CREDIT >> >> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN >> Ethical Hacker Group, Myanmar. >> >> >> 10. DISCLOSURE TIME-LINE >> >> 08-09-2010: vulnerability discovered >> 08-10-2010: notified vendor >> 08-20-2010: vendor released fix >> 08-20-2010: vulnerability disclosed >> >> >> 11. REFERENCES >> >> Vendor Advisory URL: >> http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php >> Original Advisory URL: >> >> http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS) >> Previous Release: >> http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php >> XSS FAQ: http://www.cgisecurity.com/xss-faq.html >> OWASP Top 10: >> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project >> CWE-79: http://cwe.mitre.org/data/definitions/79.html >> >> >> #yehg [08-20-2010] >> >> >> >> --------------------------------- >> Best regards, >> YGN Ethical Hacker Group >> Yangon, Myanmar >> http://yehg.net >> Our Lab | http://yehg.net/lab >> Our Directory | http://yehg.net/hwd >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
