Advisory 16/2005: phpMyAdmin Local File Inclusion Vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hardened-PHP Project
www.hardened-php.net

-= Security Advisory =-



Advisory: phpMyAdmin Local File Inclusion Vulnerability
Release Date: 2005/10/22
Last Modified: 2005/10/22
Author: Stefan Esser [sesser@hardened-php.net]

Application: phpMyAdmin <= 2.6.4-pl2
Severity: A design flaw within phpMyAdmin allows inclusion
of arbitrary files, which usually leads to remote
code execution
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_162005.73.html


Overview:

Quote from www.phpmyadmin.net:
"phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the Web. Currently it can create
and drop databases, create/drop/alter tables, delete/edit/add
fields, execute any SQL statement, manage keys on fields, manage
privileges,export data into various formats and is available
in 50 languages."

And audit of phpMyAdmin revealed a design flaw in the way
phpMyAdmin includes it's register_globals compatibility layer,
that allows inclusion of arbitrary local files, which usually
leads to remote code execution.

*** NOTE: This vulnerability is not exploitable if you are
running PHP with our Hardening-Patch applied


Details:

phpMyAdmin comes with a register_globals emulation layer within
grab_globals.php, to ensure compatibility with hosts where this
feature is turned off. This file is usually included at the very
beginning, so that globalizing the request variables does not
overwrite already used script variables. When the _GET and _POST
variables are extracted it is even ensured, that certain names
cannot be overwritten. This safety checks are not in effect, when
the _FILES array, which holds information about uploaded files,
is merged into the global namespace.

Unfortunately phpMyAdmin comes with a few files that were not meant
to be called directly and that do not include grab_globals.php but
common.lib.php in the beginning. This results f.e. in the following
include tree:

- db_details_db_info.php
\___ libraries/common.lib.php
\___ libraries/select_lang.lib.php
\ \___ libraries/grab_globals.php
\ \___ lang/a-language.inc.php
\___ ...

From this one can see, that grab_globals.php will be included by
select_lang.lib.php, if it is not included in the very beginning.
This has the bad side effect, that the globalisation of the request
variables is executed *after* common.lib.php has loaded the $cfg
configuration array. In combination with the fact, that the _FILES
array is not protected against keys with the name 'cfg', it is
possible to overwrite the content of the configuration array in
a way, that empties the content of the $cfg['ThemePath'] variable.
This variable contains the path to a directory, that contains the
supported themes. With the same overwrite it is possible to fill
the variable $cfg['ThemeManager'] with a value, which evaluates to
true.

The idea behind this overwrite is to exploit an include statement
which tries to verify the existance of a theme, selected through
f.e. a supplied cookie variable:

@include($cfg['ThemePath'].'/'.$GLOBALS['theme'].'/info.inc.php');

Due to the fact, that $cgf['ThemePath'] is empty and the global
variable theme is filled with the content of a user supplied
cookie, it is possible to use either a %00 or a realpath()
truncation attack on the include filename to include any file,
that can be accessed by the webserver.

At this point a few things have to be noted:

1) When reading the theme name from the cookie directory the
value is sanitizied against directory traversal attacks
by removing .. from the filename. However the attack
described here results in an absolute filepath beeing
included, therefore any protection against directory
traversal attacks is worthless.

2) A %00 filename truncation attack will only work if
magic_quotes_gpc is turned off, which is however the
recommended setting. A realpath() truncation attack on
the other hand will only work agains malfunctional
realpath() implementation, which can be found in f.e.
older OpenBSD versions.

3) This vulnerability *cannot* be exploited, when your server
uses our PHP Hardening-Patch, because it has a build in
protection against such include-filename truncation
attacks.


Proof of Concept:

The Hardened-PHP project is not going to release exploits for
this vulnerability to the public.


Disclosure Timeline:

15. October 2005 - Contacted phpMyAdmin developers by email
21. October 2005 - Vendor notifies me about planned release
22. October 2005 - Release of new phpMyAdmin version
22. October 2005 - Public Disclosure


Recommendation:

It is strongly recommended to upgrade to the new version of
phpMyAdmin which you can download at:

http://www.phpmyadmin.net/home_page/downloads.php


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDWki0RDkUzAqGSqERAn2tAJ9obBXrgmTnYhuE9/jfxddfHbCrhwCggf8T
11j2W1NBEeiMg7IIgCmVjxg=
=VqEK
-----END PGP SIGNATURE-----
© Hardened PHP Project