[转载]phpMyAdmin server_privileges.php SQL Injection Vulnerabilities

ziqi

荣誉会员

Rank: 6 Rank: 6 Rank: 6

E.S.T论坛贵宾

帖子: 80
精华: 12
积分: 3357
阅读权限: 100
性别: 男
来自: 桂林
在线时间: 13 小时
注册时间: 2004-7-9
最后登录: 2007-7-10

发短消息
加为好友
当前离线

楼主大中小发表于 2005-12-18 12:28 只看该作者

[转载]phpMyAdmin server_privileges.php SQL Injection Vulnerabilities

文章作者：Alice Bryson
信息来源：abryson bytefocus com

I. BACKGROUND
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web.

II. DESCRIPTION
phpMyAdmin server_privileges.php is prone to SQL Injection vulnerability. A remote attacker may execute arbitrary SQL command by sending specially-crafted URI to server_privileges.php db_name or checkprivs parameter.

III. PUBLISH DATE
2005-12-7

IV. AUTHOR
lwang (at) lwang (dot) org [email concealed]

V. AFFECTED SOFTWARE
phpMyAdmin 2.7.0 is confirmed to affected. Older versions may also be affected.
The following vendors distribute vulnerable phpMyAdmin package:
The FreeBSD Project
Gentoo Foundation
Novell, Inc. (SuSE)
The Debian Project (SuSE)

VI. ANALYSIS
in server_privileges.php
line 27:

复制内容到剪贴板

代码:

if ( isset( $dbname ) ) {

//if ( preg_match( &#39;/\\\\(?:_|%)/i&#39;, $dbname ) ) {

if ( preg_match( &#39;/(?<!\\\\)(?:_|%)/i&#39;, $dbname ) ) {

$dbname_is_wildcard = true;

} else {

$dbname_is_wildcard = false;

}

}

parameter $dbname is not validate properly.

line 1197:

复制内容到剪贴板

代码:

if (isset($viewing_mode) && $viewing_mode == &#39;db&#39;) {

$db = $checkprivs;

$url_query .= &#39;&goto=db_operations.php&#39;;



// Gets the database structure

$sub_part = &#39;_structure&#39;;

require(&#39;./db_details_db_info.php&#39;);

echo "\n";

} else {

require(&#39;./server_links.inc.php&#39;);

}

line 1241:

复制内容到剪贴板

代码:

if ( empty( $adduser ) && empty( $checkprivs ) ) {

parameter $checkprivs not validate properly.

VII. Proof of Concept
http://victim/phpmyadmin/server_ ... r=1&checkprivs='
http://victim/phpmyadmin/server_ ... ver=1&hostname='&usern
ame=1&dbname=1&tablename=1

VIII. SOLUTION
I have not contact the vendor, and no aware of any security patch till now.

IX. REFERENCE
http://www.phpmyadmin.net

TOP

charley

晶莹剔透§烈日灼然

Rank: 1

帖子: 35
精华: 0
积分: 136
阅读权限: 40
在线时间: 105 小时
注册时间: 2005-5-16
最后登录: 2007-3-16

发短消息
加为好友
当前离线

沙发大中小发表于 2005-12-18 16:56 只看该作者

如果要验证的话。怎么弄。。。。

TOP

‹‹ 上一主题 | 下一主题 ››