After looking into several sources, I've found the following: 6. IMPACT
Attackers can compromise currently logged-in user session and inject arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) via crafted XSS payloads. Which I presume means it affects the system only with a registered (and a logged in) account. I don't mean to boss you or anyone around, but why wasn't that detail well written around? Surely I won't risk wasting time fixing a possible bad patch when it doesn't affect my install in the least (since it's only me that is using phpMyAdmin). I'm usually quite paranoid about security, but I don't want to risk wasting unnecessary time espeially considering it doesn't affect my security at all. I'm not trying to nitpick or anything, but if I were you, I'd make it a point to make the real impact well known, unless the vulnerabilities have been published in the interest of popularity rather than true concern. Cheers, Christian Sciberras. On Wed, Aug 25, 2010 at 8:29 PM, YGN Ethical Hacker Group <[email protected]>wrote: > Did you read the advisory that contains vendor advisory link - > http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php ? > > > > > On Sat, Aug 21, 2010 at 12:46 AM, Christian Sciberras <[email protected]> > wrote: > > Since I didn't see this mentioned even on their website, (phpmyadmin.net), > I > > would like to ask, are these vulnerabilities existent in world-public OR > > registered users part (OR both)? > > > > Regards, > > Chris. > > > > > > > > > > > > > > On Fri, Aug 20, 2010 at 6:32 PM, YGN Ethical Hacker Group < > [email protected]> > > wrote: > >> > >> > >> > ============================================================================== > >> phpMyAdmin 3.3.5 / 2.11.10 <= Cross Site Scripting (XSS) Vulnerability > >> > >> > ============================================================================== > >> > >> > >> 1. OVERVIEW > >> > >> The phpMyAdmin web application was vulnerable to Cross Site Scripting > >> vulnerability. > >> > >> > >> 2. PRODUCT DESCRIPTION > >> > >> phpMyAdmin is a free software tool written in PHP intended to handle > >> the administration of MySQL over the World Wide Web. > >> phpMyAdmin supports a wide range of operations with MySQL. > >> The most frequently used operations are supported by the user > >> interface (managing databases, tables, fields, relations, > >> indexes, users, permissions, etc), while you still have the ability to > >> directly execute any SQL statement. > >> > >> > >> 3. VULNERABILITY DESCRIPTION > >> > >> Some URLs in phpMyAdmin do not properly escape user inputs that lead > >> to cross site scripting vulnerability. > >> For more information about this kind of vulnerability, see OWASP Top > >> 10 - A2, WASC-8 and > >> CWE-79: Improper Neutralization of Input During Web Page Generation > >> ('Cross-site Scripting'). > >> > >> > >> 4. VERSIONS AFFECTED > >> > >> phpMyAdmin 3.3.5 and lower > >> phpMyAdmin 2.11.10 and lower > >> > >> > >> 5. PROOF-OF-CONCEPT/EXPLOIT > >> > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-01.jpg > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_sql.php-02.jpg > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-01.jpg > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/db_structure.php-02.jpg > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-01.jpg > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_databases.php-02.jpg > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-01.jpg > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/server_privileges.php-02.jpg > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-01.jpg > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/3.3.5/xss/sql.php-02.jpg > >> > >> And full list of URLs (of both <probably> unexploitable/exploitable) > >> that fail to html escape user inputs: > >> > >> UR: http://target/phpmyadmin/db_search.php > >> Affected Parameter(s): field_str > >> > >> URL: http://target/phpmyadmin/db_sql.php > >> Affected Parameter(s): QUERY_STRING, delimiter > >> > >> URL: http://target/phpmyadmin/db_structure.php > >> Affected Parameter(s): sort > >> > >> URL: http://target/phpmyadmin/js/messages.php > >> Affected Parameter(s): db > >> > >> URL: http://target/phpmyadmin/server_databases.php > >> Affected Parameter(s): sort_by > >> > >> URL: http://target/phpmyadmin/server_privileges.php > >> Affected Parameter(s): QUERY_STRING, checkprivs, dbname, > >> pred_tablename, selected_usr[], tablename , username > >> > >> URL: http://target/phpmyadmin/setup/config.php > >> Affected Parameter(s): DefaultLang > >> > >> URL: http://target/phpmyadmin/sql.php > >> Affected Parameter(s): QUERY_STRING, cpurge, > >> goto,purge,purgekey,table,zero_rows > >> > >> URL: http://target/phpmyadmin/tbl_replace.php > >> Affected (Dynamic) Parameter(s): > >> fields[multi_edit][0][f7235a61fdc3adc78d866fd8085d44db], > >> fields_name[multi_edit][0][349e686330723975502e9ef4f939a5ac] > >> > >> > >> 6. IMPACT > >> > >> Attackers can compromise currently logged-in user session and inject > >> arbitrary SQL statements (CREATE,INSERT,UPDATE,DELETE) > >> via crafted XSS payloads. > >> > >> > >> 7. SOLUTION > >> > >> Upgrade to phpMyAdmin 3.3.5.1 or 2.11.10.1 > >> > >> > >> 8. VENDOR > >> > >> phpMyAdmin (http://www.phpmyadmin.net) > >> > >> > >> 9. CREDIT > >> > >> This vulnerability was discovered by Aung Khant, http://yehg.net, YGN > >> Ethical Hacker Group, Myanmar. > >> > >> > >> 10. DISCLOSURE TIME-LINE > >> > >> 08-09-2010: vulnerability discovered > >> 08-10-2010: notified vendor > >> 08-20-2010: vendor released fix > >> 08-20-2010: vulnerability disclosed > >> > >> > >> 11. REFERENCES > >> > >> Vendor Advisory URL: > >> http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php > >> Original Advisory URL: > >> > >> > http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting(XSS)<http://yehg.net/lab/pr0js/advisories/phpmyadmin/[phpmyadmin-3.3.5]_cross_site_scripting%28XSS%29> > >> Previous Release: > >> http://www.phpmyadmin.net/home_page/security/PMASA-2008-6.php > >> XSS FAQ: http://www.cgisecurity.com/xss-faq.html > >> OWASP Top 10: > >> http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project > >> CWE-79: http://cwe.mitre.org/data/definitions/79.html > >> > >> > >> #yehg [08-20-2010] > >> > >> > >> > >> --------------------------------- > >> Best regards, > >> YGN Ethical Hacker Group > >> Yangon, Myanmar > >> http://yehg.net > >> Our Lab | http://yehg.net/lab > >> Our Directory | http://yehg.net/hwd > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
